Sign in Subscribe
By Sahil Kapoor -

Bearer Token

A bearer token is a credential that grants the holder access to a resource simply by presenting the token, with no additional proof of identity. The defining property is that whoever holds the token may use it; there is no cryptographic binding between the token and the requester.

How it is used

The standard way to present a bearer token is the HTTP Authorization header: Authorization: Bearer <token>. The resource server validates the token (by signature, by lookup, or by introspection) and authorizes the request accordingly.

Because bearer tokens are sensitive by design, they are transmitted over TLS only, stored carefully (HttpOnly cookies on the web, secure enclaves on native), and given short lifetimes paired with refresh tokens for renewal.

Alternatives

  • Sender-constrained tokens (DPoP, mTLS). Cryptographically bind the token to the client so a stolen token cannot be reused elsewhere.
  • Proof-of-possession (PoP) tokens. Require the client to sign each request with a key tied to the token.

Specification

Defined by RFC 6750 as part of the OAuth 2.0 framework.

🔗
Related Terms
OAuth 2.0, JWT, OIDC, Refresh Token, Authorization Server, Session.

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon