Bearer before token in JWT

4
votes

I have noticed the convention is to send a JWT in the header under the field Authorization. The standard is to send the token as such:

Authorization:Bearer [token]

My question is why do I need to put the Bearer part why now just:

Authorization:[token]

When I receive the first request I need to parse every request to get rid of the Bearer when I verify my jwt. What is the point of this?

1
securitytokenjwtaccess-token
It was started by HTTP itself, that standardised Authorization: Basic tools.ietf.org/html/rfc2617#section-2, then promoted further by oauth that introduced Authorization: Bearer (and others) tools.ietf.org/html/rfc6749#section-7.1 So it is there to specify what type of authentication credentials is being sent.zerkms
@zerkms Is it mandatory though? If I avoid it will there be any consequences? My server simply receives the token and verifies if it is a valid token I issued.user2924127
It is not mandatory. RFC 2616 defines it as Authorization = "Authorization" ":" credentials so it's up to you on how you construct the credentials part tools.ietf.org/html/rfc2616#section-14.8zerkms
Thanks for the answer!user2924127

1 Answers

7
votes

It was started in the HTTP 1.0 standard, that added the Authorization: Basic.

Then some other popular protocols (/frameworks) popularised other kinds of authentication, like OAuth's Authorization: Bearer.

Practically, the HTTP standard (both "obsolete" and "more modern") declare it as 

Authorization = "Authorization" ":" credentials

without any constraints on how the credentials to be shaped.

So it is up to you on what you put there, as soon as it works for you.