Skip to main content

RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage

Published: October 2012
Status: Standards Track
Authors: M. Jones (Microsoft), D. Hardt (Independent)

Abstract

This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport.

Table of Contents

Appendices

Quick Reference

What is a Bearer Token?

A bearer token is a security token with the property that any party in possession of the token (a "bearer") can use it to get access to the associated resources. Unlike other types of tokens, using a bearer token does not require the bearer to prove possession of cryptographic key material.

Three Methods of Using Bearer Tokens

  1. Authorization Request Header (Recommended) - Authorization: Bearer <token>
  2. Form-Encoded Body Parameter - access_token parameter in POST request body
  3. URI Query Parameter (Not Recommended) - ?access_token=<token> in URL

Why Protection is Required?

Since anyone with a bearer token can use it, you MUST:

  • ✅ Use HTTPS for transmission
  • ✅ Set reasonable expiration times
  • ✅ Avoid passing tokens in URLs (they get logged)
  • ✅ Store tokens securely

Important: This RFC is a companion document to RFC 6749 (OAuth 2.0), defining how to use access tokens issued by OAuth 2.0.

Last updated on