← Lessons

quiz vs the machine

Gold1480

Networking

Bearer Tokens in Headers

Why carrying a token grants access and what that demands.

5 min read · core · beat Gold to climb

Possession Is Access

A bearer token is a credential where simply holding it grants access, like cash. The client presents it in the Authorization header with the Bearer scheme, and the server trusts any request that carries a valid token.

Where the Token Goes

  • The header reads Authorization followed by Bearer and the token string.
  • Tokens are not put in the URL, which would leak into logs and history.
  • The same token may be replayed on many requests until it expires.

What Bearer Demands

Because possession alone is enough, transport must be encrypted with HTTPS so the token cannot be sniffed. Tokens should be short lived and revocable so a leaked token has a limited window.

Tradeoffs

  • Stateless validation is possible if the token is a signed structure the server can verify without a lookup.
  • Revocation is harder for self contained tokens, often handled with short lifetimes plus a refresh step.

Key idea

A bearer token grants access by mere possession, sent in the Authorization header over HTTPS, which makes encryption, short lifetimes, and revocation strategy essential to its safe use.

Check yourself

Answer to earn rating on the learn ladder.

1. What does bearer mean in bearer token?

2. Why are bearer tokens placed in a header rather than the URL?