A way of controlling access in some operating systems. The idea is that the right to access a resource is reified in a magic cookie or token. Tokens are unforgeable. The only way to get hold of a token is to be given one by someone else who already has one. Whenever you access a resource, you must provide the token that gives you the right.

Tokens may also be uncopyable. This may be implemented by incorporating some kind of user-id (like an IP address) in encrypted form. It means that the right to access cannot be delegated. Tokens may also be transferable without being duplicatable, like the stones in a StoneSociety.

This kind of access control is more fine-grained than AccessLevels or AccessControlLists. We can think of languages like Smalltalk or Java as being capability systems, with the object references acting as tokens. You can't use (ie send a message to) an object unless you have a reference to it.