Home

BearerToken

A bearer token is an access token that grants its holder the right to access protected resources. In OAuth 2.0 and OpenID Connect, the token is presented to a resource server to prove authorization. The term bearer means that possession of the token confers access, without additional proof of identity.

Transmission and format: Bearer tokens are typically sent in the HTTP Authorization header as "Authorization: Bearer

Lifecycle and scope: Tokens are issued by an authorization server with an associated scope (permissions) and

Security considerations: Always transmit tokens over TLS. Do not log or expose tokens in URLs, browser history,

Standards and usage: Bearer tokens are defined in RFC 6750, which specifies how tokens are presented and

<token>".
They
can
be
opaque
strings
or
self-contained
tokens
such
as
JSON
Web
Tokens
(JWT).
JWTs
carry
claims
such
as
issuer,
audience,
scope,
and
expiration,
and
can
be
validated
by
the
resource
server
without
contacting
the
authorization
server,
provided
the
token’s
signature
is
valid.
an
expiration
time.
Access
tokens
are
usually
short-lived,
and
refresh
tokens
can
be
used
to
obtain
new
access
tokens
without
re-authentication.
Revocation
and
rotation
mechanisms
help
mitigate
risks
if
a
token
is
compromised.
or
referrer
headers.
Store
tokens
securely;
public
clients
should
minimize
exposure
and
consider
PKCE
(Proof
Key
for
Code
Exchange)
to
protect
authorization
codes.
Validate
audience
and
issuer
claims,
bind
tokens
to
a
client
when
possible,
and
implement
robust
revocation
and
rotation
policies
to
limit
damage
from
leakage.
protected.
They
are
used
broadly
in
OAuth
2.0
flows
and
OpenID
Connect,
often
alongside
other
token
types
such
as
refresh
tokens
and
ID
tokens.