{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreic2hxhqblijy32zjuvldbrc3coko3oyj6v7hmciue5mdumitrlhly",
"uri": "at://did:plc:5sgu76a53rz3n6unbykmovqy/app.bsky.feed.post/3mloeutzv2gf2"
},
"description": "A bearer token is a credential that grants the holder access to a resource simply by presenting the token, with no additional proof of identity. The defining property is that whoever holds the token may use it; there is no cryptographic binding between the token and the requester. How it is used The standard way to present a bearer token is the HTTP Authorization header: Authorization: Bearer . The resource server validates the token (by signature, by lookup, or by introspection) and a",
"path": "/engineering-glossary/bearer-token-http-authorization/",
"publishedAt": "2026-05-12T18:04:59.000Z",
"site": "https://sahilkapoor.com",
"tags": [
"RFC 6750",
"OAuth 2.0",
"JWT",
"OIDC",
"Refresh Token",
"Authorization Server",
"Session"
],
"textContent": "**A bearer token** is a credential that grants the holder access to a resource simply by presenting the token, with no additional proof of identity. The defining property is that whoever holds the token may use it; there is no cryptographic binding between the token and the requester.\n\n## How it is used\n\nThe standard way to present a bearer token is the HTTP Authorization header: `Authorization: Bearer <token>`. The resource server validates the token (by signature, by lookup, or by introspection) and authorizes the request accordingly.\n\nBecause bearer tokens are sensitive by design, they are transmitted over TLS only, stored carefully (HttpOnly cookies on the web, secure enclaves on native), and given short lifetimes paired with refresh tokens for renewal.\n\n## Alternatives\n\n * **Sender-constrained tokens (DPoP, mTLS).** Cryptographically bind the token to the client so a stolen token cannot be reused elsewhere.\n * **Proof-of-possession (PoP) tokens.** Require the client to sign each request with a key tied to the token.\n\n\n\n## Specification\n\nDefined by RFC 6750 as part of the OAuth 2.0 framework.\n\nš\n\n**Related Terms**\nOAuth 2.0, JWT, OIDC, Refresh Token, Authorization Server, Session.",
"title": "Bearer Token",
"updatedAt": "2026-05-13T19:15:11.571Z"
}