Bearer Token

A bearer token is an access token presented using the HTTP Authorization scheme: Authorization: Bearer <token>. Any party in possession of the bearer token can use it — hence the name. JWT access tokens are commonly sent as bearer tokens. RFC 6750 defines bearer token usage for OAuth 2.0 protected resources. Tokens must travel only over HTTPS to prevent interception. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail. Document expected behavior for client teams so tokens are issued, stored, and validated consistently across services.

Why It Matters

Misconfigured bearer handling is a leading cause of API breaches. Never log full bearer tokens, never pass them in URL query strings, and validate them on every protected route. Compare with API keys, which use different headers and rotation patterns. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.

Related Terms

Related Comparisons

Related Tools

Related Articles

Frequently Asked Questions

Why is it called bearer?

Whoever bears (holds) the token can use it. No additional proof of possession is required beyond presenting it. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

Bearer vs Basic auth?

Basic sends credentials each request. Bearer sends a delegated token minted after authentication. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.

Can bearer tokens be cookies?

The scheme name applies to the Authorization header. Similar tokens can also be stored in httpOnly cookies. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.