like for example, the Azure SDK can be used to generate tokens with arbitrary permissions and expiry dates. These tokens, once generated, serve as a standalone authentication method to download or upload or whatever the token allows
you need to supply some other form of credential to the API in order to generate a valid token. if you do not actually have proper access, the API will still give you a well-formed token, but when you try to use it, it won't work.
i expect this is because the mechanism for making these tokens is just "use your own credential to sign a string that indicates expiry and permission levels" and if your credential is wrong or insufficient, you can still sign that string. but it was very frustrating to figure out why my token didn't work, even though I was supplying an appropriate credential!
(the answer to my specific issue was that I was giving the wrong name for an AzureNamedKeyCredential. As it happens, the "name" in NamedKey is overloaded. Storage Account keys each have names (the default are key1 and key2) but when you use those keys with an AzureNamedKeyCredential, the actual name it wants is the name of the Storage Account)