What Is a Bearer Token

A bearer token is a security credential where possession is the only requirement to use it. Whoever holds the token, the "bearer", can use it to access whatever it's authorized for, without proving who they are beyond having the token itself. That's the entire concept behind the bearer token meaning: no signature, no extra password, no cryptographic proof of identity, just the string of characters itself acting as the key.
How bearer tokens work in practice
Bearer tokens are the standard access credential in OAuth 2.0, the framework most platforms (X, LinkedIn, Meta, Google) use to let a third-party app access your account without handing over your actual password. The flow generally goes:
- You authorize an app to connect to your account (an OAuth "grant").
- The platform issues an access token, a bearer token, representing that permission.
- The app includes the token in an HTTP header on every request:
Authorization: Bearer <token>. - The platform checks the token is valid and responds, no further identity check required.
Bearer token vs API key: what's actually different
The terms get used loosely, but there's a real distinction. An API key is often static, long-lived, and sometimes shared across an entire application rather than tied to one user's specific permissions. A bearer token, in the OAuth sense, is typically short-lived, scoped to specific actions (post on your behalf, but not read your DMs, for example), and refreshed periodically using a separate refresh token rather than reused indefinitely. Both work on the same "possession equals access" principle, but bearer tokens are generally built to limit damage if they leak, since a stolen one usually stops working within minutes to hours.
Why "anyone who has it can use it" is the whole security risk
Per the OAuth 2.0 specification (RFC 6750), a handful of rules exist specifically because possession is all that's required:
- Always transmitted over HTTPS. A bearer token sent over an unencrypted connection can be intercepted and used by anyone who captures it.
- Never stored in a plain cookie or put in a URL, both are common places tokens leak, through browser history, server logs, or referrer headers.
- Kept short-lived where possible. A token that expires in an hour limits how long a leak stays exploitable, compared to one valid indefinitely.
Bearer token vs plain password: why platforms moved away from passwords
Handing a third-party app your actual password gives it unlimited access, forever, with no easy way to revoke just that one app without changing your password everywhere else it's used. A bearer token sidesteps both problems: it's scoped to specific permissions, and revoking it from the platform's settings kills that one connection without touching your login credentials at all. That shift, away from shared passwords and toward scoped, revocable tokens, is most of what OAuth 2.0 was designed to solve.
How bearer tokens work for a scheduling tool
When you connect an account to a scheduling tool, the tool typically stores a bearer token rather than your password, and uses it to publish on your behalf within whatever scope you approved. Revoking access from the platform's own settings (not just deleting the tool) invalidates that token immediately, which is the correct way to fully disconnect an app rather than assuming uninstalling it is enough.
Posted Once connects to X, LinkedIn, and eight other platforms using each one's own OAuth flow, storing tokens rather than passwords, and only requesting the specific permissions needed to schedule and publish posts. Start scheduling free →
Schedule to every platform at once
Posted Once publishes your content to all 10 social networks from one place.
Start free trial