Bearer Authentication Explained

October 20, 2022

Introduction

Data security is the most important component of every information technology system. Knowing who is accessing data and determining their level of access and what actions they can perform is a top-level priority for every business handling sensitive information.

Answering the question “who is accessing data?” is done via a process called authentication – the act of checking and proving the identity of an end-user or application. Authentication is performed in several ways, called schemes. One of those schemes is bearer authorization i.e. authentication.

Find out what bearer authentication is, what bearer tokens are, and how the authentication process works.

API authenticating a client application via bearer tokens.

What is Bearer Authentication?

Bearer authentication is an HTTP authentication scheme that uses bearer tokens. It was introduced in RFC 6750, and is commonly used within the OAuth 2.0 framework but can also be used separately.

Bearer authentication arose from the need to replace the digital signature workflow present in OAuth 1.0. Abandoning the cryptographic foundation of OAuth 1.0 made OAuth 2.0 easier to set up and use, and simplified key management.

What is a Bearer Token?

A bearer token is an encrypted string generated by an authentication server. It is a type of access token that authorization servers use to establish the identity of its bearers (owners). These tokens grant client applications access to APIs and protected resources.

Bearer tokens are predominantly used within an OAuth 2.0 workflow and require the use of HTTPS/TLS to remain secure.

By data type, bearer tokens can be:

  • Strings of various lengths containing hexadecimal characters. 
  • Structured tokens, such as JSON Web Tokens (JWT).

How Does Bearer Authentication Work?

The bearer authentication flow consists of the following steps: 

  1. A client application owner registers the app with a resource owner/API provider. 
  2. The resource owner provides the client application owner with a client ID and client secret. 
  3. The client application makes an API call to request a bearer token. 
  4. The API asks the client application to provide the credentials (ID and secret) that will be associated with the bearer token. 
  5. The client application enters the credentials. 
  6. The API checks the credentials and if they are valid, returns a bearer token. 
  7. The client application uses its bearer token and client ID to generate short-lived access tokens, which will be used to make API calls.  

The example below is how CCBill merchants generate an access token to use CCBill’s payment API

curl -X POST 
\ 
'https://api.ccbill.com/ccbill-auth/oauth/token' 
\ 
-i -u 'MERCHANT_APPLICATION_ID:APPLICATION_SECRET' 
\ 
-H 'Content-Type: application/x-www-form-urlencoded' 
\ 
-d 'grant_type=client_credentials' 

The bearer token is proof that a client application is registered and allowed to access protected resources. Because of that, every access token request must contain a valid bearer token value in the authorization header of each API call, expressed like this: 

Authorization: Bearer <bearertokenvalue> 

The reason for this specific format is that many servers support several authentication schemes, for example: 

  • Basic
  • Digest
  • Negotiate
  • AWS4-HMAC-SHA256

In such cases, simply entering the token value without specifying the authentication scheme is not sufficient and results in a failed authentication request. 

Is a Bearer Token Secure?

Regardless of the data type used, bearer tokens are designed not to reveal any sensitive information. However, the bearer authentication scheme rests on the assumption that the token user is also the rightful token owner. 

Implementing a bearer authentication flow without additional security mechanisms is not considered safe. If tokens were to leak, nothing could stop unauthorized applications from using them. 

It is up to resource owners and client application owners to analyze their security needs and use those insights to identify: 

  • The authentication method that suits their workflow and business model. 
  • The right security measures to implement. 

Besides bearer authentication, other commonly used authentication methods include: 

Some of the basic security measures that protect bearer tokens and prevent their misuse are: 

  • HTTPS/TLS (mandatory). 
  • Two-Factor Authentication in applications. 
  • Educating client application owners on best token protection practices. 

Note: For more on cybersecurity for businesses, read What is Cybersecurity? Challenges and Threats Organizations Face


Conclusion 

Bearer authentication is not secure enough as the sole API security mechanism for banking systems and other applications handling sensitive information. However, this easy-to-implement flow works for social networking applications, games, and other low-risk applications.  

Check your business’s security and compliance needs to determine which type of authentication method to use. 

About the author
Mirjana Fodora
Mirjana Fodora is a Technical Writer with a background in Web Design and Development. Despite being one of the youngest members of CCBill, her writing skills and technical aptitude help her produce factual, informative, and user-friendly content. If not writing or learning a new skill, you'll find her binging fintech and marketing videos or gaming.
Talk to a Merchant Support Specialist