Why Add Bearer in the Authorization Header?
When designing API authorization—or consuming a third-party API—you often see headers like:
http
Authorization: Bearer Tokenxxxxxx1
Have you ever wondered why we don't simply write it as:
http
Authorization: Tokenxxxxxx1
The reason goes back to the HTTP/1.0 specification from the W3C. It defines the Authorization header as:
http
Authorization: <type> <authorization-parameters>1
So Bearer is the authorization type. Other common types include:
| Authorization Type | Description |
|---|---|
| Basic | Used for HTTP Basic authentication |
| Bearer | Commonly seen with OAuth and JWT |
| Digest | HTTP Digest authentication with MD5 hashing (deprecated) |
| HOBA | HTTP Origin-Bound Authentication (deprecated) |
| Mutual | HTTP message signature authentication (deprecated) |
| Negotiate | SPNEGO authentication (deprecated) |
| SCRAM-SHA-1 | SCRAM-SHA-1 authentication (deprecated) |
| SCRAM-SHA-256 | SCRAM-SHA-256 authentication (deprecated) |
| vapid | VAPID authentication |
| AWS4-HMAC-SHA256 | AWS authentication |
| AWS4-HMAC-SHA256-PAYLOAD | AWS authentication |
| MAC | MAC authentication |
| Netrc | Netrc authentication |
TIP
Article republished from: Summer — Why Does the Authorization Header Need Bearer?