A bearer token is a type of access token where possession of the token itself is sufficient to access protected resources. The name comes from the concept that whoever "bears" (holds) the token is granted access, regardless of their identity. Bearer tokens are commonly used in OAuth 2.0 flows and API authentication, typically transmitted in the HTTP Authorization header.
How It Works
When a user authenticates successfully, the server generates a bearer token and returns it to the client. For subsequent requests, the client includes the token in the Authorization header using the format Authorization: Bearer <token>. The server validates the token by checking its signature, expiration, and associated permissions before processing the request.
Bearer tokens are often implemented as JSON Web Tokens (JWTs), which contain encoded claims about the user's identity and permissions. The server signs the JWT with a secret key, allowing it to verify the token's authenticity without making a database lookup on every request. The token includes an expiration timestamp, limiting the window of exploitation if it is stolen.
The fundamental security concern with bearer tokens is that anyone who obtains the token can use it. Unlike other token types that require additional proof such as a client certificate or cryptographic signature, bearer tokens offer no mechanism to verify that the presenter is the legitimate recipient. This makes secure transmission (always over HTTPS) and secure storage (never in URL parameters or localStorage where XSS can reach it) critically important.
Why It Matters
Bearer token vulnerabilities are frequent findings in security assessments. Common issues include tokens with excessive lifetimes, missing revocation mechanisms, tokens stored in locations accessible to client-side scripts, tokens leaked through referrer headers or server logs, and insufficient validation on the server side. Each of these weaknesses can enable session hijacking or unauthorized access to protected resources.
Need your application tested? Get in touch.