How to authenticate with a bearer token in wget

Bearer tokens let wget talk to protected APIs without putting a reusable password on every request. That is the normal pattern for OAuth-style access tokens, short-lived service tokens, and other delegated auth flows where the token already exists before the download or API call starts.

In wget, bearer auth is simply an Authorization header in the form Bearer <token>. The core mechanics are small: keep the token in a variable or restricted config file, send it with --header, and confirm that the endpoint returns the expected payload instead of a 401 Unauthorized or 403 Forbidden response.

Tokens are secrets for as long as they remain valid. Avoid printing them to shared terminals, avoid saving verbose debug logs that include the header, and clear them from the shell when the request is finished or when the server starts rejecting an expired token.

Related: How to authenticate with an API key in wget
Related: How to send custom headers with wget

Steps to authenticate with a bearer token in wget:

  1. Load the token into the current shell from a restricted file or secret source. 
    $ ACCESS_TOKEN="$(tr -d '\n' < ~/.config/wget/bearer.token)"
$ printf 'Loaded %s-byte token\n' "${#ACCESS_TOKEN}"
Loaded 14-byte token

    Reading from a private file or secret source is safer than pasting production tokens directly into shell history.

  2. Send the token in the Authorization header and confirm that the protected endpoint accepts it. 
    $ wget -S -O - \
  --header="Authorization: Bearer ${ACCESS_TOKEN}" \
  https://httpbin.org/bearer 2>&1 | sed -n '1,18p'
--2026-03-27 07:00:11--  https://httpbin.org/bearer
Resolving httpbin.org (httpbin.org)... 44.221.213.41, 54.172.102.128, 32.194.43.65, ...
Connecting to httpbin.org (httpbin.org)|44.221.213.41|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Thu, 26 Mar 2026 23:00:12 GMT
  Content-Type: application/json
  Content-Length: 58
Length: 58 [application/json]
Saving to: 'STDOUT'
{
  "authenticated": true,
  "token": "test-token-123"
}

    A normal 200 OK plus an authenticated response body confirms that the bearer header format is correct for the target endpoint.

  3. Verify the exact header value separately when the protected endpoint returns an unexpected application error. 
    $ wget -qO- \
  --header="Authorization: Bearer ${ACCESS_TOKEN}" \
  https://httpbin.org/headers | jq -r '.headers.Authorization'
Bearer test-token-123

    A header echo check isolates header formatting problems before deeper API debugging starts.

  4. Store the header in a restricted config file only when repeated invocations need the same token. 
    $ mkdir -p ~/.config/wget
$ printf '%s\n' \
  'header = Authorization: Bearer demo-token-from-config' \
  > ~/.config/wget/bearer.conf
$ chmod 600 ~/.config/wget/bearer.conf
$ wget -qO- --config=~/.config/wget/bearer.conf \
  https://httpbin.org/headers | jq -r '.headers.Authorization'
Bearer demo-token-from-config

    A token saved in a config file becomes persistent local state, so file permissions and cleanup matter as much as the request syntax.

  5. Unset the token after the request or batch completes. 
    $ unset ACCESS_TOKEN
$ printf '%s\n' "${ACCESS_TOKEN:-}"

    Clearing the variable reduces accidental reuse in later commands, but any token already copied into logs or config files must be cleaned up separately.