Bearer Token

A bearer token is an access token passed in the HTTP Authorization header as "Authorization: Bearer <token>". The name "bearer" means that whoever possesses the token can use it, so bearer tokens must be kept confidential and transmitted only over HTTPS. JWTs are commonly used as bearer tokens in OAuth 2.0 flows. Bearer tokens should have short expiry times and should never be stored in localStorage where XSS attacks can steal them.

Why it matters for your website

• 1Directly impacts resistance to account takeover and credential theft
• 2Required for SOC 2, HIPAA, and PCI-DSS compliance
• 3Misconfiguration can expose all user accounts to attack