What Is a Bearer Token?

What Is a Bearer Token?

A bearer token is an access token that grants API access to anyone who "bears" (holds) it — no extra proof of identity required. It's sent in the HTTP Authorization: Bearer <token> header, which means it must always be transmitted over HTTPS and stored carefully, because whoever has the token has the access.

Bearer tokens are everywhere in modern APIs. Here's how they work and how to use them safely.

"Bearer" Means Exactly What It Says

The name comes from the idea of a bearer instrument — like cash. If you hold a $20 bill, you can spend it; nobody checks that it's yours. A bearer token works the same way: the server honors the token itself, without verifying the caller's identity beyond possession.

That's powerful and convenient — but it also means a leaked token is immediately usable by an attacker.

How a Bearer Token Is Sent

After authenticating (typically via OAuth 2.0), a client receives a token and includes it on every request:

GET /api/account
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

The server validates the token (signature, expiry, scopes) and, if it's good, processes the request. No session lookup or password needed.

Bearer Tokens vs JWTs

These overlap but aren't the same:

• Bearer token describes how the token is used — sent in the Authorization: Bearer header, honored by possession.
• JWT (JSON Web Token) describes the token's format — a signed, self-contained token with claims.

A JWT is very commonly used as a bearer token, but a bearer token could also be an opaque random string the server looks up. Decode a JWT bearer token's claims with our JWT Decoder, and inspect OAuth tokens with the OAuth Token Inspector.

Are Bearer Tokens Secure?

They're secure only with the right precautions, because there's no built-in proof of ownership:

• Always use HTTPS. A token sent over plain HTTP can be sniffed and reused.
• Keep tokens short-lived. Pair a short-lived access token with a refresh token so a leak has a small window.
• Scope tokens narrowly. Grant only the permissions needed.
• Store carefully. Avoid localStorage for sensitive web apps (XSS risk); prefer secure, HttpOnly cookies where appropriate — see the Cookie Decoder.
• Support revocation. Be able to invalidate a token if it leaks.

For comparison, an API key is a simpler long-lived credential for server-to-server use — generate one with our API Key Generator.

Where Should You Store a Bearer Token?

It depends on the client:

• Server-side apps: in server memory or a secure session store.
• Mobile apps: in the platform's secure storage (Keychain/Keystore).
• Single-page apps: ideally an HttpOnly cookie to limit XSS exposure; if using memory, accept the trade-offs and keep tokens short-lived.

Frequently Asked Questions

What is a bearer token? An access token that grants API access to whoever holds it, sent in the Authorization: Bearer header without extra identity proof.

How does a bearer token work? The client includes the token on each request; the server validates it (signature, expiry, scopes) and grants access based purely on possession.

Is a JWT a bearer token? A JWT is a token format and is very often used as a bearer token, but "bearer" refers to how it's sent and honored, not its format.

Are bearer tokens secure? Only with HTTPS, short lifetimes, narrow scopes, careful storage, and revocation support — because anyone holding the token can use it.

Where should I store a bearer token? In secure platform storage (Keychain/Keystore) for mobile, server-side stores for backends, and ideally HttpOnly cookies for web apps.

Related Reading

• What Is OAuth 2.0?
• Understanding JWT Tokens
• JWT vs OAuth

Treat a bearer token like cash in your pocket: convenient, instantly usable, and worth protecting — because whoever holds it gets the access.