The token may be:
- or another access token.
Any party in possession of a bearer token (a bearer) can use it to get access to the associated resources (without demonstrating possession of a cryptographic key) because the token is:
- or is known by the authorization server
Authorization: Bearer <token> Authorization: Bearer some+base64+string
When an authentication is bearer-only, it means that the authentication requires a authorization header