What is a Bearer Token?
A bearer token is a type of access token used in API authentication that grants access to a protected resource to whoever possesses ("bears") it. The token is included in the HTTP Authorization header using the format Authorization: Bearer <token>. The server validates the token and, if it is valid and unexpired, processes the request. Bearer tokens are a core component of the OAuth 2.0 framework and are widely used across modern web APIs.
How Bearer Tokens Work
When a client authenticates — for example, by exchanging credentials through an OAuth 2.0 flow — the authorization server issues a bearer token. The client stores this token and sends it with each subsequent API request. The server inspects the token to determine the caller's identity and permissions without requiring the client to re-authenticate on every request. Tokens typically have an expiration time, after which the client must obtain a new token, often using a refresh token.
Security Implications
Because a bearer token grants access to anyone who holds it, protecting the token is critical. Tokens should only be transmitted over encrypted connections (HTTPS). They should be stored securely on the client side — in HTTP-only cookies for web applications or secure storage on mobile devices, never in localStorage where they are vulnerable to cross-site scripting (XSS) attacks. Short expiration times reduce the impact of a stolen token, and token revocation mechanisms allow servers to invalidate compromised tokens before they expire.