Bearer authentication (RFC 6750) sends a previously issued opaque token or JWT in the `Authorization: Bearer <token>` header. It is the standard for OAuth 2.0 and most modern REST APIs. As the name implies, whoever bears (holds) the token is granted access.
Authorization: Bearer <token>Because holding the token is itself the proof, the client authenticates once to obtain a token and then simply presents that token on subsequent requests, unlike Basic which resends the username/password every time. The token may be opaque (the server looks it up in a store to validate) or a self-contained JWT that is verified by signature (stateless).
In practice you split access and refresh tokens. The access token is short-lived (minutes to an hour) and is sent on actual API calls; the refresh token is long-lived and used only to mint new access tokens. When an access token expires, the server returns 401 with `WWW-Authenticate: Bearer error="invalid_token"`, and the client silently refreshes and retries the original request.
Since possession equals authority, a stolen bearer token is immediately usable. That is why access tokens are kept short-lived to shrink the exposure window, while refresh tokens get stronger storage and rotation.
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0In0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5ccurl -H 'Authorization: Bearer <access_token>' https://api.example.com/mefetch('/me', {
headers: { Authorization: 'Bearer ' + accessToken }
});HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="The access token expired"