Bearer

Overview

Bearer authentication (RFC 6750) sends a previously issued opaque token or JWT in the `Authorization: Bearer <token>` header. It is the standard for OAuth 2.0 and most modern REST APIs. As the name implies, whoever bears (holds) the token is granted access.

Transport

Authorization: Bearer <token>

Details

Because holding the token is itself the proof, the client authenticates once to obtain a token and then simply presents that token on subsequent requests, unlike Basic which resends the username/password every time. The token may be opaque (the server looks it up in a store to validate) or a self-contained JWT that is verified by signature (stateless).

In practice you split access and refresh tokens. The access token is short-lived (minutes to an hour) and is sent on actual API calls; the refresh token is long-lived and used only to mint new access tokens. When an access token expires, the server returns 401 with `WWW-Authenticate: Bearer error="invalid_token"`, and the client silently refreshes and retries the original request.

Since possession equals authority, a stolen bearer token is immediately usable. That is why access tokens are kept short-lived to shrink the exposure window, while refresh tokens get stronger storage and rotation.

Request / Response example

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0In0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

In code

curl -H 'Authorization: Bearer <access_token>' https://api.example.com/me
fetch('/me', {
  headers: { Authorization: 'Bearer ' + accessToken }
});
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="The access token expired"

Security considerations

Related headers

Related status codes