In some cases, that is by actually encoding the values into the token itself if your access token is, for example, a JWT, or it might be something that is just stored or cached in some database associated with your random string token. The important thing is as far as the application is concerned, the application does not care what the token means. It just knows that it can use the token to make the API call.