A bearer token is an authentication credential with a very simple property: whoever presents this token is treated as the authorized party. There’s no additional proof required — no signature, no device binding, no identity check.
Format
Typically an HTTP header:
Authorization: Bearer eyJhbGciOi...The actual token can be opaque (random string) or structured (a JWT).
Why it’s popular
- Simple to implement — one header, one check
- Works over HTTPS without extra protocol overhead
- Framework-agnostic — every HTTP server handles headers
The tradeoff
The “anyone who presents it” property means a stolen token is immediately usable. That’s why bearer tokens should be:
- Short-lived (minutes to hours)
- Transmitted only over HTTPS
- Stored securely (not in
localStorage) - Revocable server-side if a compromise is detected
When bearer isn’t enough
For very high-value APIs, consider mTLS or sender-constrained tokens (DPoP, mTLS-bound JWTs). These bind the token to a specific client certificate, so a stolen token is useless without the private key.
See the full auth glossary for related terms.