An access token is an object encapsulating the security identity of a process or thread.
[1] A token is used to make security decisions and to store tamper-proof information about some system entity.
An access token is generated by the logon service when a user logs on to the system and the credentials provided by the user are authenticated against the authentication database.
The authentication database contains credential information required to construct the initial token for the logon session, including its user id, primary group id, all other groups it is part of, and other information.
[1] Whenever such a process opens a handle to any resource which has access control enabled, Windows reconciles the data in the target object's security descriptor with the contents of the current effective access token.