What is a Bearer Token

A bearer token is any token that grants API access to whoever possesses it. The name comes from the Authorization: Bearer <token> HTTP header format. No additional proof of identity is required — if you have the token, you have access.

How it works

The client sends the token in the Authorization header:

GET /api/data HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...

The server extracts the token, verifies it (signature check for JWTs, database lookup for opaque tokens), and processes the request with the token's associated identity and permissions.

Why it matters

"Bearer" is a security model, not a token format. JWTs, OAuth access tokens, and API keys can all be bearer tokens. The critical implication: anyone who intercepts the token can use it. This is why bearer tokens must always be transmitted over TLS, stored securely, and given short expiration times. Losing a bearer token is equivalent to losing the credentials it represents.

See How API Authentication Works for when to use bearer tokens vs cookies vs API keys.

This concept appears in

How API Authentication Works — API Keys, OAuth, JWT, and Sessions

What is a Bearer Token

How it works

Why it matters

Related

This concept appears in