Bearer Authentication (2024)

OAS 3 This guide is for OpenAPI 3.0.

Describing Bearer Authentication

In OpenAPI 3.0, Bearer authentication is a security scheme with type: http and scheme: bearer. You first need to define the security scheme under components/securitySchemes, then use the security keyword to apply this scheme to the desired scope – global (as in the example below) or specific operations:

openapi: 3.0.0...# 1) Define the security scheme type (HTTP bearer)components: securitySchemes: bearerAuth: # arbitrary name for the security scheme type: http scheme: bearer bearerFormat: JWT # optional, arbitrary value for documentation purposes# 2) Apply the security globally to all operationssecurity: - bearerAuth: [] # use the same name as above

Optional bearerFormat is an arbitrary string that specifies how the bearer token is formatted. Since bearer tokens are usually generated by the server, bearerFormat is used mainly for documentation purposes, as a hint to the clients. In the example above, it is "JWT", meaning JSON Web Token . The square brackets [] in bearerAuth: [] contain a list of security scopes required for API calls. The list is empty because scopes are only used with OAuth 2 and OpenID Connect. In the example above, Bearer authentication is applied globally to the whole API. If you need to apply it to just a few operations, add security on the operation level instead of doing this globally:

paths: /something: get: security: - bearerAuth: []

Bearer authentication can also be combined with other authentication methods as explained in Using Multiple Authentication Types.

401 Response

You can also define the 401 “Unauthorized” response returned for requests that do not contain a proper bearer token. Since the 401 response will be used by multiple operations, you can define it in the global components/responses section and reference elsewhere via $ref.

paths: /something: get: ... responses: '401': $ref: '#/components/responses/UnauthorizedError' ... post: ... responses: '401': $ref: '#/components/responses/UnauthorizedError' ...components: responses: UnauthorizedError: description: Access token is missing or invalid

To learn more about responses, see Describing Responses.

Did not find what you were looking for? Ask the community
Found a mistake? Let us know

FAQs

What is bearer authentication? ›

As defined in RFC 6750 documentation , Bearer authentication is a common HTTP authentication method. A Bearer token is usually attributed to a user after a successful login request to a server. The user then sends this token in requests headers to authenticate himself and to access some resources.

Read On ›

What is basic authentication vs bearer authentication? ›

Enhanced Security: Bearer Token is more secure than Basic Authentication, especially when used over secure channels (like HTTPS). They can also be designed to include features like token expiration and revocation.

Discover More Details ›

What is the difference between JWT and bearer authentication? ›

JWT: Offers strong security with its signature, but once issued, it cannot be revoked easily. Bearer Token: Simpler but requires additional mechanisms for revocation and management.

What is the difference between OAuth and bearer token? ›

Bearer Tokens are the predominant type of access token used with OAuth 2.0. A Bearer Token is an opaque string, not intended to have any meaning to clients using it. Some servers will issue tokens that are a short string of hexadecimal characters, while others may use structured tokens such as JSON Web Tokens.

See Details ›

What is an example of a bearer security? ›

(b) Bearer securities or securities are those which are payable on their face to bearer, the ownership of which is not recorded. They include Treasury bonds,Treasury notes, Treasury certifi- cates of indebtedness, and Treasury bills. § 328.3 Authorization for restrictive endorsem*nts.

Find Out More ›

Is Bearer authentication safe? ›

Security Dependency: Bearer tokens rely heavily on the security of the communication channel (usually HTTPS). If intercepted, they can be misused. Token Stolen Risks: If a bearer token is leaked or stolen, there is a potential risk as anyone possessing the token can access the associated resources.

Tell Me More ›

What is the strongest form of authentication? ›

Categories

The Three Types of Authentication Factors.
Least Secure: Passwords.
More Secure: One-time Passwords.
More Secure: Biometrics.
Most Secure: Hardware Keys.
Most Secure: Device Authentication and Trust Factors.

Sep 4, 2024

Show Me More ›

What is the difference between API key and bearer authentication? ›

API keys offer simplicity and ease of use, making them ideal for straightforward applications and server-to-server communication. On the other hand, Bearer tokens provide enhanced security, user context, and flexibility, making them perfect for user-centric applications and high-security environments.

Explore More ›

What is the HTTP bearer authentication strategy? ›

The HTTP Bearer authentication strategy authenticates users using a bearer token. The strategy requires a verify callback, which accepts that credential and calls done providing a user.

Is JWT the best authentication? ›

JWT (JSON Web Token) is a very popular way to authenticate users. It's a way to securely exchange data between client and server through a token. Here is how it works: User sends their credentials (i.e. username and password) to the server.

Show Me More ›

What are the three types of JWT? ›

Types of JWT

JSON Web Signature (JWS) – The content of this type of JWT is digitally signed to ensure that the contents of the JWT are not tampered in transit between the sender and the receiver. ...
JSON Web Encryption (JWE) – The content of this type of JWT is digitally encrypted.

Read The Full Story ›

What is the difference between basic and bearer authentication? ›

Bearer authentication has several advantages over basic authentication. The token is encrypted, so it cannot be tampered with or stolen. The client does not have to store or send the credentials, which reduces the risk of exposure and improves the performance of the API.

See Details ›

What is bearer authentication also known as? ›

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.”

Get More Info Here ›

Which is more secure, JWT or OAuth? ›

Difference 3 - Security and Management

OAuth: Offers fine-grained access control through scopes. Tokens can be easily revoked, enhancing security. JWT: Relies on cryptographic signatures for security. Once issued, JWTs are valid until they expire, which can be a security concern if not managed properly.

Why authorization bearer? ›

Attaching the word “Bearer” before the token in the “Authorization” header serves two important purposes: Identification: The “Bearer” keyword helps the server easily identify the type of token being used and handle it appropriately during the authentication and authorization processes.

What is bearer on my phone? ›

In telecommunications, Bearer Service or data service is a service that allows transmission of information signals between network interfaces. These services give the subscriber the capacity required to transmit appropriate signals between certain access points, i.e. user network interfaces.

View Details ›

How do I get a bearer authentication token? ›

A Bearer Token is a byte array of unspecified format that you generate using a script like a curl command. You can also obtain a Bearer Token from the developer portal inside the keys and tokens section of your App's settings. More information about this feature can be found on OAuth's official documentation.