You are not confused. The access token can be abused if it is obtained by an unauthorised person for as long as the token is valid. The expiration date depends on the provider (e.g. Facebook, Twitter).
So it is important to secure this token at all times (SSL for transfer and some algorithm for persistence see also Securely storing an access token)