OAuth-protected APIs usually reject load-test traffic unless each protected HTTP request includes a bearer token in the Authorization header. In JMeter, an HTTP Header Manager can attach that header at the right scope so protected samplers send the token consistently without repeating the same row inside every HTTP Request sampler.
The HTTP Header Manager inherits through the test-plan tree. Placing it under a Thread Group applies the header to child HTTP samplers, while placing it directly under one sampler limits the token to that request. The value can reference a variable such as ${access_token} so token refresh, CSV input, or CI secret injection can update one value instead of changing every sampler.
Bearer tokens are usually short-lived secrets. Keep real values out of shared .jmx files, screenshots, and transcripts when possible, and use a no-header control request or server-side request log to prove that authorization depends on the header rather than on an accidentally open endpoint.
Select the Thread Group when all child HTTP samplers use the same token. Select one HTTP Request sampler when only that request needs the header.
User Defined Variables works for a local smoke test. For shared plans or CI runs, load the value from a CSV Data Set Config, a setUp sampler, or a command-line property instead of saving a live token in the plan.
Name: Authorization
Value: Bearer ${access_token}
Keep exactly one space between Bearer and the variable reference. Do not include quotes around the header value.
A header manager under a parent node affects child HTTP samplers. Move requests that must not receive the bearer token to a different branch or attach the manager only to the protected sampler.
$ jmeter -n -t bearer-token-header-add.jmx -l results.jtl -j jmeter.log Creating summariser <summary> Created the tree successfully using bearer-token-header-add.jmx summary = 2 in 00:00:01 = 2.0/s Avg: 8 Min: 3 Max: 13 Err: 1 (50.00%) Tidying up ... ... end of run
The error count is expected only when the plan includes a no-header control sampler that should receive 401 Unauthorized.
$ cat protected-api.log GET /protected HTTP/1.1 Authorization: Bearer <redacted> -> 200 GET /protected HTTP/1.1 Authorization: <none> -> 401
The passing sampler should show the bearer header and an authorized response. The control sampler should show no Authorization header and an unauthorized response.