Bearer authentication, also called token authentication, is a HTTP authentication scheme that involves security tokens called bearer tokens.

This type of token comes in the form of a cryptic string that represents the authorization granted by the server to whoever bears it — typically in response to a login request — to access protected resources.

Sending authenticated requests

To send an authenticated request using the Bearer Authentication scheme, the client must include the access token in the Authorization header of the HTTP request:

Authorization: Bearer <token>

Where <token> is the token sent by the server in response to a login request.

For example, the following command will send an HTTP GET request containing the access token bf568fd7da8fcc0119c9ae9e28d7633b in the Authorization header to the URL example.com:

$ curl -H "Authorization: Bearer bf568fd7da8fcc0119c9ae9e28d7633b" example.com

Security considerations

One of the key features of bearer tokens is that they do not inherently carry any inherent proof of ownership.

In other words, whoever possesses the token is considered authorized to access protected resources, without any additional verification.

This means that if a bearer token is intercepted or stolen, it can be used by anyone who possesses it until it expires or is revoked.

It is therefore crucial to secure bearer tokens properly, such as using HTTPS to encrypt communications and implementing mechanisms such as expiration times to prevent token misuse.

Parsing bearer tokens in Express.js

In Express.js, the HTTP headers of incoming requests are stored in the headers property of the request object (i.e., req) in the form of key-value pairs, where each header name is converted to lowercase for consistency.

{  host: '127.0.0.1:3001',