Bearer Token
What is Bearer Token?
Bearer TokenAn opaque or structured credential (RFC 6750) granting access to a resource simply by possession, without proof that the holder is the rightful owner.
A bearer token is a credential whose use is authenticated by possession alone: anyone who can present the token at the API gains the access it represents. It is most commonly carried in an HTTP Authorization: Bearer header and is defined by RFC 6750 in the context of OAuth 2.0. Because there is no proof-of-possession, bearer tokens must be transported over TLS, stored carefully, scoped narrowly, and given short lifetimes. Stronger alternatives include sender-constrained tokens such as DPoP, mTLS-bound tokens, and Token Binding. Leaked bearer tokens are immediately abusable until revoked or expired.
● Examples
- 01
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
- 02
Calling https://api.example.com/v1/orders with a leaked OAuth access token.
● Frequently asked questions
What is Bearer Token?
An opaque or structured credential (RFC 6750) granting access to a resource simply by possession, without proof that the holder is the rightful owner. It belongs to the Identity & Access category of cybersecurity.
What does Bearer Token mean?
An opaque or structured credential (RFC 6750) granting access to a resource simply by possession, without proof that the holder is the rightful owner.
How does Bearer Token work?
A bearer token is a credential whose use is authenticated by possession alone: anyone who can present the token at the API gains the access it represents. It is most commonly carried in an HTTP Authorization: Bearer header and is defined by RFC 6750 in the context of OAuth 2.0. Because there is no proof-of-possession, bearer tokens must be transported over TLS, stored carefully, scoped narrowly, and given short lifetimes. Stronger alternatives include sender-constrained tokens such as DPoP, mTLS-bound tokens, and Token Binding. Leaked bearer tokens are immediately abusable until revoked or expired.
How do you defend against Bearer Token?
Defences for Bearer Token typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- identity-access№ 574
JWT (JSON Web Token)
Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers.
- identity-access№ 007
Access Token
Short-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf.
- identity-access№ 913
Refresh Token
Long-lived credential used to obtain new short-lived access tokens from an OAuth 2.0 authorization server without prompting the user to log in again.
- identity-access№ 749
OAuth 2.0
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
- appsec№ 052
API Security
The discipline of designing, building and operating application programming interfaces so that authentication, authorization, data exposure and abuse-resistance hold up under attack.
- identity-access№ 051
API Key
Static secret string issued by a service to identify and authenticate a caller, usually sent in a header or query parameter on every API request.
● See also
- № 575JWT Vulnerabilities