What is the Bearer Token in OAuth?

About

bearer token is a oauth access token implementation defined in the OAuth 2.0 Authorization Framework

• Bearer Tokens are the predominant type of access token used with OAuth 2.0.
• This is a stateless authentication mechanism as the user state is never saved in server memory.

Format

A Bearer Token is an opaque string, not intended to have any meaning to clients using it.

There is no defined structure for the token required by the specification ¹⁾. You can generate and implement them however you want.

The token may be:

• structured such as a Json Web Token (JWT), Self-Encoded tokens
• or unstructured such as a hexadecimal nonce that would be stored in a database along with the associated user and scope information.

The valid characters are:

• alphanumeric,
• and the following punctuation characters: -._~+/

Usage

Any party in possession of a bearer token (a bearer) can use it to get access to the associated resources (without demonstrating possession of a cryptographic key) because the token is:

• signed
• or is known by the authorization server

Authorization header

You will find it in the authoritzation header of a HTTP request

Authorization: Bearer <token>
Authorization: Bearer some+base64+string

Glossary

Bearer-Only

When an authentication is bearer-only, it means that the authentication requires a authorization header