Definition
A bearer token is a security credential that grants access to a system to whoever presents it — the “bearer” of the token. After a user logs in with their username and password, the system issues a token: a long, randomly generated string that acts as proof of identity for subsequent requests. Instead of sending a password with every request, the application sends the bearer token in a header, and the server verifies it. Bearer tokens are the standard authentication mechanism for APIs and are used whenever a mobile app, desktop application, or browser extension communicates with a server.
Why It Matters
Bearer tokens solve a practical problem: you do not want to transmit a user’s password with every single request, because that multiplies the opportunities for it to be intercepted. Instead, the password is used once to obtain a token, and the token is used from that point on. Tokens can be set to expire after a period of time, can be revoked if a device is lost or compromised, and can carry information about what the user is allowed to do. Understanding bearer tokens matters when discussing API security, mobile app authentication, or integration architecture, because they are the mechanism that makes secure, stateless communication between systems possible.
Example
An employee opens your company’s mobile app and enters their email and password. The server verifies the credentials and returns a bearer token. From that point on, every request the app makes — loading the dashboard, submitting a time entry, viewing a report — includes the token instead of the password. When the employee gets a new phone, you revoke the old token from the admin panel. The old phone can no longer access the system, even if someone finds it, because the token it holds is no longer valid.