1. User Token
2. Community Token
3. Service Token
4. More Info

To run most API methods you need to pass an access_token, a special access key. Token is a string of digits and latin characters and may refer to a user, community or application itself.

To get a token VK uses the OAuth 2.0 open protocol. Users do not send their login and password so accounts can not be compromised.

There are three supported ways to receive an OAuth 2.0 token:

1. Implicit flow, the shortest and easiest way. A token is returned to the device where authentication dialog was open (as an additional URL parameter). It can be used only for requests sent directly from users' devices (for example calls from Javascript on a website or from a mobile app).

2. Authorization code flow, two-stage method with additional app server authentication. A token is sent directly to a server and can be used for automated requests, for example from PHP.

3. Client credentials flow, authentication by application secret key. This flow is only used to access special secure methods.

A user token is required to run almost all API methods excepting the secure section. Some methods, such as users.get, can be called without a token but some data may be unavailable because it does matter who exactly tries to get it.

Token is a kind of user signature in the application. It reports the server which user sends requests and what permissions did they grant to the app.

To get a user token use one of these ways:

• Implicit flow to run methods on behalf of a user in Javascript apps and Standalone clients (mobile or desktop).
• Authorization code flow to run methods on behalf of a user from the server side on a website.

A community token allows working with API on behalf of a group, event or public page. It can be used to answer the community messages.

Methods that have a special mark in the list can be called with a community token.

There are three methods to get it:

• Implicit flow. To run methods on behalf of a community in Javascript apps and standalone clients (desktop or mobile).
• Authorization code flow. To work with API on behalf of a community from a website server.
• At the community management page. Just open the "Manage community" tab, go to "API usage" tab and click "Create token".

Please, read about planned changes with service access token.

Service token is used for requests that do not require any user or community authorization. These are such methods as secure.sendNotification to send notifications from the app or secure.addAppEvent to add achievements info and, starting from April, 2017, open methods, e.g. users.get.

You can receive service access token in your application settings. Token is not bounded to IP address and doesn't have expiration date.If the token have been compromised you can generate a new one. Previous token will be revoked.

The service token identifies your app. All requests to the API completed while using your token will be considered completed from your app. The service token may only be used from the server side of the app. It cannot be passed and saved on the client side of the app.

An obsolete scheme for getting a service token can be found here: Client credentials flow.

• If you develop an iOS, Android or Windows Phone app we recommend using our mobile SDK allowing athentication through an official client installed on users' devices.
• If your app is Flash or IFrame, there's no need to implement OAuth manually, token is sent to the app on startup: https://vk.com/dev/apps_init.
• For external sites there is an authorization widget, it is a ready solution for Implicit Flow on a web service.