Bearer Token.
An access credential where any party that holds (bears) the token can use it to access the protected resource, no further proof of possession required.
Most OAuth deployments use bearer tokens. The hardening pattern is layered: short lifetimes plus rotation plus secure storage plus monitoring for unusual usage patterns. For the highest-security flows, move to sender-constrained tokens via DPoP or mTLS.
Common questions
Are JWTs always bearer tokens?
How do I prevent bearer-token theft?
What is sender-constrained authentication?
Related terms
In the guides
OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.
Session Management: JWTs vs Opaque Tokens, and How to Pick
JWT-based and opaque-token sessions trade off scale against revocability, the 2026 default is hybrid. Patterns, revocation, and where each is the right answer.