Send an access token issued by OAuth 2.0, JWT, or similar in the `Authorization: Bearer` header. This is the most common API authentication scheme today.
Send an access token issued by OAuth 2.0, JWT, or similar in the `Authorization: Bearer` header. This is the most common API authentication scheme today.
curl https://api.example.com/me \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsIn...'const token = 'eyJhbGciOiJIUzI1NiIsIn...';
const res = await fetch('https://api.example.com/me', {
headers: { Authorization: `Bearer ${token}` }
});import requests
token = 'eyJhbGciOiJIUzI1NiIsIn...'
res = requests.get('https://api.example.com/me',
headers={'Authorization': f'Bearer {token}'})The format is exactly `Authorization: Bearer <token>`, with a single space between the `Bearer` scheme and the token. Dropping the `Bearer` prefix or sending only the token yields a 401.
A bearer token grants access to whoever holds it, so transmit it over HTTPS only. Putting it in plain HTTP or a URL query string leaks it into logs, proxies, and browser history.
Distinguish 401 Unauthorized (missing, expired, or badly signed token) from 403 Forbidden (authenticated but not allowed). A 401 response's `WWW-Authenticate` header often carries a reason like `error="invalid_token"`; use it for debugging and refresh the token when it has expired.