How to authenticate with a bearer token in cURL

Bearer tokens let cURL call a protected API with a short-lived credential that was issued earlier by an identity provider or service. This is the common pattern for OAuth access tokens, delegated service calls, and repeatable automation where sending an account password on every request would be the wrong fit.

In cURL, the cleanest path is --oauth2-bearer, which builds the Authorization: Bearer header for the request without forcing you to compose it manually each time. The practical flow is simple: load the token from a restricted source, send the request, and confirm that the server returns an authenticated response instead of a 401 Unauthorized failure.

Bearer tokens are still reusable secrets while they remain valid. Avoid printing them into verbose traces, avoid storing them in world-readable config files, and avoid sending them through redirect-heavy request flows unless you have confirmed that the destination is supposed to receive the same credential. The examples below keep generic claims and a redacted signature so the token shape stays realistic without exposing a reusable credential.

Steps to authenticate with a bearer token in cURL:

Load the issued token from a restricted local file or secret source before building the request.
```
$ ACCESS_TOKEN="$(tr -d '\n' < ~/.config/curl/bearer.token)"
$ printf 'Loaded %s-byte token\n' "${#ACCESS_TOKEN}"
Loaded 144-byte token
```
Reading the token from a private file or secret source is safer than pasting a live token directly into shell history.

Send the request with --oauth2-bearer and confirm that the endpoint returns an authenticated response.

$ curl --silent --show-error \
  --oauth2-bearer "${ACCESS_TOKEN}" \
  --write-out '\nHTTP %{http_code}\n' \
  https://httpbin.org/bearer
{
  "authenticated": true, 
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhcGktY2xpZW50Iiwic2NvcGUiOiJyZWFkOnN0YXR1cyIsImF1ZCI6ImFwaS5leGFtcGxlLmNvbSJ9.signature-redacted"
}

HTTP 200

The direct header equivalent is --header "Authorization: Bearer ${ACCESS_TOKEN}", but --oauth2-bearer keeps the command shorter and makes intent obvious.

Check the exact Authorization header value separately when the API returns an unexpected auth or routing error.
```
$ curl --silent --show-error \
  --oauth2-bearer "${ACCESS_TOKEN}" \
  https://httpbin.org/headers | jq -r '.headers.Authorization'
Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhcGktY2xpZW50Iiwic2NvcGUiOiJyZWFkOnN0YXR1cyIsImF1ZCI6ImFwaS5leGFtcGxlLmNvbSJ9.signature-redacted
```
A header echo confirms that the token reached the request in the expected Bearer format before you spend time debugging the application response.

Related: How to view HTTP request headers in cURL

Save the token in a restricted cURL config file only when repeated local calls need the same bearer credential.

$ mkdir -p ~/.config/curl
$ printf 'oauth2-bearer = "%s"\n' "${ACCESS_TOKEN}" > ~/.config/curl/bearer.conf
$ chmod 600 ~/.config/curl/bearer.conf
$ ls -l ~/.config/curl/bearer.conf
-rw-------  1 user  staff  163 Mar 29 09:23 /home/user/.config/curl/bearer.conf

A bearer token saved in a config file becomes persistent local state, so file permissions and cleanup matter as much as the request syntax.

Reuse the restricted config file for repeated calls and verify that it still produces an authenticated response.

$ curl --silent --show-error \
  --config ~/.config/curl/bearer.conf \
  --write-out '\nHTTP %{http_code}\n' \
  https://httpbin.org/bearer
{
  "authenticated": true, 
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhcGktY2xpZW50Iiwic2NvcGUiOiJyZWFkOnN0YXR1cyIsImF1ZCI6ImFwaS5leGFtcGxlLmNvbSJ9.signature-redacted"
}

HTTP 200

Config reuse is useful for short local request batches, but avoid keeping long-lived tokens in reusable files longer than necessary.

Probe the unauthenticated path when you need to confirm that the endpoint is actually protected.
```
$ curl --silent --show-error \
  --write-out '\nHTTP %{http_code}\n' \
  https://httpbin.org/bearer

HTTP 401
```
A clear 401 without the bearer token helps distinguish an auth problem from an unrelated application error in the protected handler.
Clear bearer-token artifacts after the request batch finishes.
```
$ unset ACCESS_TOKEN
$ rm -f ~/.config/curl/bearer.conf
```
Removing the shell variable and any temporary config file reduces accidental reuse after the token should have expired or rotated.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.