A Shared Access Signature (SAS) token is a unique string of encrypted text that encapsulates all the necessary details needed to authenticate a shared signature to access Azure Storage services. It also determines which service and resource can be accessed, the permissions granted, and the validity period of the signature.

If we look at the specifics of these tokens, there are 3 types of SAS tokens: Account SAS, Service SAS, and User Delegation SAS. This blog walks through Account SAS tokens specifically, as this is the type of token used to access storage, which is a critical (if not the most critical) point of failure in data security.

Account SAS Tokens

SAS tokens are encrypted codes in the form of URIs (Uniform Resource Identifier) that grant specific access rights to one or more Azure Storage resources, such as Azure Blob Storage, Azure File Storage, and Azure Queue Storage. Compared to other tokens, this extensive access means it’s crucial to handle Account SAS carefully to prevent unauthorized data access.

https://www.cyera.com/blog/understanding-the-risks-of-azure-sas-tokens 

Explanation of parameters:

sv: The storage service version.
ss: The signed services, in this case, blobs.
srt: The signed resource types, in this case, service (s), container (c), and object (o).
sp: The signed permissions, in this case, read (r).
se: The expiry time for the SAS token (2024-04-10T23:59:59Z).
st: The start time for the SAS token (2024-04-08T00:00:00Z).
spr: The signed protocol, in this case, HTTPS.
sig: The signature, which is a hashed value generated using your account key and the specified parameters.

https://bigid.com/blog/understanding-azure-sas-tokens/