Bearer Token

Authentication Security Notes Jan 6, 2025 JAVASCRIPT

Definition

The word “bearer” tells you everything you need to know about how this token works: whoever “bears” (carries) the token can use it. No additional proof required. No questions asked. If you have the token, you have access. It’s the digital equivalent of cash - possession is everything.

A bearer token is a type of access token that works purely on possession. When you include it in an API request (typically in the Authorization header as “Bearer eyJhbG…”), the server grants access based solely on the fact that you have this token. The server doesn’t care who you are or how you got the token - if the token is valid, you’re in.

This simplicity is both a strength and a security concern. Bearer tokens are incredibly easy to use - just include them in your request header and you’re authenticated. But because they work without additional verification, anyone who steals your token can use it until it expires. That’s why bearer tokens should always be short-lived, transmitted only over HTTPS, and stored as securely as possible. Treat them like cash: convenient but dangerous if lost.

Example

OAuth 2.0 Access Tokens: When you authorize an app to access your Google account, Google gives the app a bearer token. The app includes this token in requests like “Authorization: Bearer eyJhbG…” and Google grants access without checking anything else. Anyone with that token could access your data, which is why these tokens expire quickly.

Mobile App Authentication: When you log into a mobile app, it receives a bearer token for subsequent requests. Every time you refresh your feed or load new content, that token is sent to prove you’re logged in. The server just checks if the token is valid - it doesn’t re-verify your password each time.

API Integrations: When you connect Slack to other services using webhooks, bearer tokens often authenticate those connections. The receiving service accepts any request with the correct token, enabling automated integrations without complex authentication handshakes for every request.

Cloud Service APIs: AWS, Google Cloud, and Azure all use bearer tokens (often as JWTs) for API access. Your CLI tool stores a token locally and includes it with every command. If someone copies that token file, they have your cloud access until the token expires or you revoke it.

Single Page Applications: When you log into a web app built with React or Vue, it stores a bearer token (often in memory) and sends it with every API request to the backend. The backend verifies the token without requiring you to re-authenticate for each click.

Analogy

Cash Money: A bearer token is literally like cash. A $20 bill doesn’t know who owns it - whoever has it can spend it. If you lose your wallet, the finder can use your cash without proving they’re you. Bearer tokens work the same way: possession equals authorization. This is why you keep cash secure and why bearer tokens need secure storage.

The Theme Park Wristband: When you pay for all-day access at a water park, they put a wristband on you. Throughout the day, you flash the wristband to get on rides - nobody asks for your ticket or ID again. But if someone else gets your wristband (maybe it falls off), they can use it. The wristband is a bearer credential - it proves you paid, but only because you’re wearing it.

The Subway Token: Old subway systems used physical tokens. You dropped a token in the turnstile, it let you through. The turnstile didn’t check who bought the token - having the token meant you could ride. Stolen tokens worked just as well as purchased ones. Bearer tokens in APIs work identically.

The Anonymous Gift Card: A gift card works for whoever has it. It’s not tied to your name or ID. You can give it away, lose it, or have it stolen - whoever holds it can spend the balance. Bearer tokens are the API equivalent: whoever holds them can make authorized requests.

Code Example


// Using Bearer token
const token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...';

fetch('https://api.example.com/protected', {
  headers: {
    'Authorization': `Bearer ${token}`,
    'Content-Type': 'application/json'
  }
});

// Verify bearer token on server
function verifyBearerToken(req, res, next) {
  const authHeader = req.headers.authorization;
  if (!authHeader?.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Missing bearer token' });
  }
  const token = authHeader.substring(7);
  // Validate token...
}

Diagram

sequenceDiagram
    participant Client
    participant API
    participant Attacker

    Note over Client: Has valid bearer token

    Client->>API: Authorization: Bearer eyJhbG...
    API->>API: Token valid? YES
    API->>Client: 200 OK - Protected data

    Note over Client,Attacker: If token is stolen...

    Client-->>Attacker: Token intercepted or leaked

    Attacker->>API: Authorization: Bearer eyJhbG...
    API->>API: Token valid? YES
    API->>Attacker: 200 OK - Protected data

    Note over API,Attacker: Server cannot distinguish
legitimate user from attacker!

    rect rgb(255, 230, 230)
        Note over Client,Attacker: RISK: Whoever BEARS the token has access
    end

Security Notes

SECURITY NOTES

CRITICAL: Bearer tokens are powerful credentials; possession equals access. Protect them like passwords.

Transport & Storage:

  • HTTPS only: Never transmit bearer tokens over HTTP; use TLS 1.2+ exclusively
  • Memory storage (SPAs): Store tokens in memory, not localStorage (vulnerable to XSS)
  • httpOnly cookies: Use httpOnly, Secure, SameSite flags for web apps
  • Encrypted storage (mobile): Encrypt tokens in device storage; use platform-provided secure storage
  • Never in URL: Never include tokens in URLs (logged in server logs, browser history, referrer headers)

Token Lifecycle:

  • Short expiration: Configure short TTL (15-60 minutes) for access tokens
  • Refresh token rotation: Use long-lived refresh tokens to obtain new access tokens
  • Single-use on refresh: Invalidate old refresh token when issuing new one
  • Expiration enforcement: Always validate expiration; never accept expired tokens
  • Revocation mechanism: Implement way to revoke tokens immediately (logout, account compromise)

Detection & Prevention:

  • Monitor usage patterns: Alert on unusual activity (geographic spikes, rapid requests, new device)
  • Token binding: Bind tokens to IP, device fingerprint, or TLS connection to prevent theft
  • Rate limiting: Limit requests per token to detect compromised tokens
  • Anomaly detection: Flag requests from unusual locations or times of day
  • No logging: Never log bearer tokens; exclude from access logs and monitoring

Token Validation:

  • Validate on every request: Check token signature, expiration, and claims for every request
  • Signature verification: For JWTs, verify cryptographic signature before accepting claims
  • Audience/issuer validation: Ensure token was issued for your service
  • Early expiration check: Check expiration BEFORE processing request

Attack Prevention:

  • XSS protection: Prevent XSS attacks that could steal tokens from localStorage
  • CSRF protection: Use CSRF tokens (different from bearer tokens) for state-changing operations
  • No bearer tokens in GET: Avoid bearer tokens in GET requests; use POST when possible
  • Token secrets: Don’t use bearer tokens for sensitive operations without additional verification

Monitoring & Incident Response:

  • Compromise detection: Monitor for signs of token theft (impossible travel, multiple devices)
  • Immediate revocation: Revoke tokens immediately upon compromise suspicion
  • User notification: Alert users when tokens are compromised or revoked
  • Forensic logging: Log token creation, refresh, and revocation with context

Standards & RFCs

Standards & RFCs
1)RFC 6750- [](https://reference.apios.info/terms/rfc-6750/) - The OAuth 2.0 Authorization Framework: Bearer Token Usage
2)RFC 6749- [](https://reference.apios.info/terms/rfc-6749/) - OAuth 2.0 Authorization Framework