An authorization server works by issuing and validating access tokens and refresh tokens. When a client application requests access to email marketing data, it first needs to authenticate with the authorization server. Upon successful authentication, the server issues an access token, which the client can use to access the requested resources. The server also issues a refresh token, which the client can use to obtain a new access token once the original token expires.