Send a Bearer token

Send an access token issued by OAuth 2.0, JWT, or similar in the `Authorization: Bearer` header. This is the most common API authentication scheme today.

Overview

Send an access token issued by OAuth 2.0, JWT, or similar in the `Authorization: Bearer` header. This is the most common API authentication scheme today.

In code

curl https://api.example.com/me \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsIn...'
const token = 'eyJhbGciOiJIUzI1NiIsIn...';
const res = await fetch('https://api.example.com/me', {
  headers: { Authorization: `Bearer ${token}` }
});
import requests

token = 'eyJhbGciOiJIUzI1NiIsIn...'
res = requests.get('https://api.example.com/me',
                   headers={'Authorization': f'Bearer {token}'})

Details

The format is exactly `Authorization: Bearer <token>`, with a single space between the `Bearer` scheme and the token. Dropping the `Bearer` prefix or sending only the token yields a 401.

A bearer token grants access to whoever holds it, so transmit it over HTTPS only. Putting it in plain HTTP or a URL query string leaks it into logs, proxies, and browser history.

Distinguish 401 Unauthorized (missing, expired, or badly signed token) from 403 Forbidden (authenticated but not allowed). A 401 response's `WWW-Authenticate` header often carries a reason like `error="invalid_token"`; use it for debugging and refresh the token when it has expired.

Related headers

Related status codes