What is Bearer Token?
Bearer Token is an access token type used in HTTP authentication where the client presents a token to access protected resources. The term 'bearer' means that any party holding the token can use it to access the resource, without needing additional proof of identity.
Quick Facts
| Full Name | Bearer Authentication Token |
|---|---|
| Created | 2012 (RFC 6750) |
| Specification | Official Specification |
How Bearer Token Works
Bearer tokens are commonly used in OAuth 2.0 authentication flows. They are typically sent in the HTTP Authorization header with the format 'Bearer <token>'. The token itself is usually a JWT (JSON Web Token) or an opaque string. Bearer tokens are stateless, meaning the server doesn't need to store session information. However, because anyone with the token can use it, they must be transmitted securely over HTTPS and stored safely. Tokens typically have expiration times and can be revoked by the authorization server.
Key Characteristics
- Sent in Authorization header as 'Bearer <token>'
- Commonly used with OAuth 2.0
- Token holder has access (no additional proof needed)
- Usually JWT or opaque string format
- Stateless authentication mechanism
- Must be transmitted over HTTPS
Common Use Cases
- API authentication
- OAuth 2.0 access tokens
- Single sign-on (SSO) systems
- Mobile app authentication
- Microservices authorization
Example
HTTP Request with Bearer Token:
GET /api/user/profile HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Content-Type: application/json
JavaScript Fetch:
fetch('https://api.example.com/user/profile', {
headers: {
'Authorization': 'Bearer ' + accessToken,
'Content-Type': 'application/json'
}
});
Token Response (OAuth 2.0):
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "dGhpcyBpcyBhIHJlZnJl..."
}
cURL Example:
curl -H "Authorization: Bearer <token>" \
https://api.example.com/resource