A bearer token is a type of token that can be used by a client application to gain access to an API or remote service using only the token itself.
An example will help illustrate. Let us suppose an application has been issued
SlAV32hkKG as a token. The application wishes to use this token to
obtain information about a user. The application can do so by making the
following HTTP request:
GET /userinfo HTTP/1.1 Host: api.example.com Authorization: Bearer SlAV32hkKG
As illustrated in the request, the token string
SlAV32hkKG is being used
direcly in the HTTP
Authorization header. No additional credentials are
present in the request.
Bearer tokens derive their name from bearer instruments. The holder of a bearer instrument, such as a bond, is presumed to be the owner of that bond and whoever is physically in possession of the bond is entitled to dividend payments. No additional proof of ownership is required.
Similarly, any application in possession of a bearer token is entitled access to any APIs which accept the token, with whatever permissions the token conveys.
Bearer tokens are typically issued to clients as the result of an OAuth 2.0
authorization flow, where they are known as access tokens. The token is then
used by the client to access an HTTP resource using the
Bearer scheme defined
by RFC 6750, as illustrated
above. RFC 6750 was specified in the IETF by the
OAuth Working Group, reinforcing
the pairing of OAuth 2.0 and bearer tokens.
That being said, bearer tokens can be obtained by client applications without OAuth 2.0. For instance, it is common, especially in developer-centric applications, for a user to generate an "API key" and then copy that API key into a script or application that is being developed. Such an API key is a bearer token, but manually generated and pasted into an application by the user, rather than requested by and issued to the application via OAuth 2.0.