What is Bearer Token (An Ultimate Guide)

What is Bearer Token? A complete explanation of its details! There are many API authentication methods over HTTP. Bearer Token is one of the most commonly used. In this article, Bearer Token will be fully explained to you.

Build APIs Faster & Together in Apidog

What is Bearer Token (An Ultimate Guide)

Start for free

There are many API authentication methods over HTTP, such as Basic Authentication and Digest Authentication. Among them, Bearer Token is one of the most commonly used. In this article, we will fully explain Bearer Token to you.

What is a Bearer Token?

A Bearer token is a type of token used for authentication and authorization and is used in web applications and APIs to hold user credentials and indicate authorization for requests and access.

Bearer tokens are generated based on protocols and specifications such as OAuth and JWT (JSON Web Token). The authenticated user obtains the Bearer token issued by the server and sends it to the server in the header of the request. The server verifies the received bearer token and controls user access based on the token. The Bearer token is also usually sent over an encrypted connection via HTTPS. This prevents unauthorized access by malicious third parties even if the token is stolen.

Composition of the Bearer Token

Bearer tokens are generally composed of a random string of characters. Formally, it takes the form of the "Bearer" keyword and the token value separated by spaces. The following is the general form of a Bearer token:

Bearer {token_value}

Here is an example of an actual Bearer token:

Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva

BearerBearer Token validity period

Bearer tokens are typically used as temporary access tokens. The token has a validity period, and when it expires, the user must re-authenticate.

The validity period of the Bearer token depends on the implementation and the authentication protocol used. In general, the server can specify a validity period when issuing the token. The validity period is the amount of time from the issuance of the token until it becomes invalid. Common ways of expressing the validity period include the following:

Absolute time:   An absolute time (e.g., 30 minutes, 1 hour, etc.) from the time the token was issued.

Relative Time: A relative time (e.g., 24 hours, 1 week, etc.) relative to the time the token was issued. Once expired, the token will either be rejected by the server or will require re-authentication. The shorter the expiration time, the better the security, but the worse the user experience may be. Conversely, too long a validity period increases the risk of misuse if the token is compromised.

The specific validity period of a Bearer token depends on the server and application configuration and requirements. In general, it is important to set an appropriate validity period from a security perspective.

Sending requests containing Bearer Token informationBearer tokens are used in many Web services and APIs and play an important role in achieving secure authentication and access control. So, when accessing many Web APIs, Bearer Token is required. In such cases, how do you pass the Bearer Token to access the Web API?

Next, we will show you how to use Apidog, a sophisticated API management tool, to authenticate the Bearer Token, send the request, and get the response.

How to Authenticate the Bearer Token in Apidog

When unit testing an API in Apidog, the Bearer Token authentication method is very simple.

Apidog - An integrated platform for API design, debugging, development, mock, and testing
Download the Apidog API management tool here. Perfectly compatible with macOS, Windows, and Linux. Web version is also available.

Open an existing API in Apidog, switch to "Debug" mode, select "Request" > "Auth", specify the type as "Bearer Token", and enter the Token in the input box at the bottom to submit.


It's important to note that bearer tokens should be kept secure and not shared unnecessarily. They should also be periodically rotated or revoked as required for security purposes.