The question is formulated as if you still don’t know why you even needed it) In a nutshell, a token is a certain sequence unique enough to be difficult to guess. The service should have a function ala Authorization (login password) or whatever you use in it, this function should check the correctness of the user and if it is correct, generate a certain Token for him, for this you can, for example, use a GUID object or just MD5 from some fairly unique string. This token is returned during authorization and stored somewhere in the database, then when accessing the service, this token is sent instead of the login / password pair and the check is no longer by login or password, but by the presence of the token in the database. Accordingly, if there is suspicious activity on some token, it can be removed from the database, thereby "blocking" the token,

Try to read about JWT
jwt.io
The JWT token contains information about the user, in the form of a JSON object.
this JSON is Base64 encoded and signed with your "secret"
by receiving a JWT token from the user you can check the signature to see if the object in the token has been tampered with.