Enhance documentation on ACCESSTOKEN usage

David-Engel · web-flow · commit a1f7b8a5a658 · 2026-02-23T15:15:26.000-08:00
Clarify the requirements and constraints for using the ACCESSTOKEN structure in SQL Server authentication, including allocation and renewal details.
diff --git a/docs/connect/odbc/using-azure-active-directory.md b/docs/connect/odbc/using-azure-active-directory.md
@@ -189,7 +189,11 @@ typedef struct AccessToken
 } ACCESSTOKEN;
 ```
 
-The `ACCESSTOKEN` is a variable-length structure consisting of a 4-byte _length_ followed by _length_ bytes of opaque data that form the access token. Because of how SQL Server handles access tokens, one obtained via an [OAuth 2.0](/azure/active-directory/develop/active-directory-authentication-scenarios) JSON response must be expanded so that each byte is followed by a zero padding byte, similar to a UCS-2 string containing only ASCII characters. However, the token is an opaque value and the length specified, in bytes, must NOT include any null terminator. Because of their considerable length and format constraints, this method of authentication is only available programmatically via the `SQL_COPT_SS_ACCESS_TOKEN` connection attribute. There's no corresponding DSN or connection string keyword. The connection string must not contain `UID`, `PWD`, `Authentication`, or `Trusted_Connection` keywords.
+The `ACCESSTOKEN` is a variable-length structure consisting of a 4-byte _length_ followed by _length_ bytes of opaque data that form the access token. Because of how SQL Server handles access tokens, one obtained via an [OAuth 2.0](/azure/active-directory/develop/active-directory-authentication-scenarios) JSON response must be expanded so that each byte is followed by a zero padding byte, similar to a UCS-2 string containing only ASCII characters. However, the token is an opaque value and the length specified, in bytes, must NOT include any null terminator. Because of their considerable length and format constraints, this method of authentication is only available programmatically via the `SQL_COPT_SS_ACCESS_TOKEN` connection attribute.
+
+The `ACCESSTOKEN` must remain allocated for as long as the connection handle is allocated. Otherwise access violations may occur. The pointer is part of the connection pool key, so a new pointer will result in a new pool and new connections. You can renew the access token (if it expires, for example) by updating the data buffer directly with a new token, which allows you to continue using existing connections.
+
+There's no corresponding DSN or connection string keyword. The connection string must not contain `UID`, `PWD`, `Authentication`, or `Trusted_Connection` keywords.
 
 > [!NOTE]
 > The ODBC Driver version 13.1 only supports this authentication on _Windows_. Subsequent versions support this authentication on all platforms.
