OAuth-protected APIs usually reject load-test traffic unless each protected HTTP request includes a bearer token in the Authorization header. In JMeter, an HTTP Header Manager can attach that header at the right scope so protected samplers send the token consistently without repeating the same row inside every HTTP Request sampler.
The HTTP Header Manager inherits through the test-plan tree. Placing it under a Thread Group applies the header to child HTTP samplers, while placing it directly under one sampler limits the token to that request. The value can reference a variable such as ${access_token} so token refresh, CSV input, or CI secret injection can update one value instead of changing every sampler.
Bearer tokens are usually short-lived secrets. Keep real values out of shared .jmx files, screenshots, and transcripts when possible, and use a no-header control request or server-side request log to prove that authorization depends on the header rather than on an accidentally open endpoint.
Steps to add a JMeter bearer token header:
- Open the test plan in JMeter and select the scope that should send the bearer token.
Select the Thread Group when all child HTTP samplers use the same token. Select one HTTP Request sampler when only that request needs the header.
- Create or confirm a variable named access_token for the token value.
User Defined Variables works for a local smoke test. For shared plans or CI runs, load the value from a CSV Data Set Config, a setUp sampler, or a command-line property instead of saving a live token in the plan.
- Add an HTTP Header Manager under the selected scope.
- Add one header row to the HTTP Header Manager.
Name: Authorization Value: Bearer ${access_token}Keep exactly one space between Bearer and the variable reference. Do not include quotes around the header value.
- Keep login, token-minting, and public control samplers outside that header-manager scope.
A header manager under a parent node affects child HTTP samplers. Move requests that must not receive the bearer token to a different branch or attach the manager only to the protected sampler.
- Save the test plan.
- Run the plan in non-GUI mode against a protected endpoint.
$ jmeter -n -t bearer-token-header-add.jmx -l results.jtl -j jmeter.log Creating summariser <summary> Created the tree successfully using bearer-token-header-add.jmx summary = 2 in 00:00:01 = 2.0/s Avg: 8 Min: 3 Max: 13 Err: 1 (50.00%) Tidying up ... ... end of run
The error count is expected only when the plan includes a no-header control sampler that should receive 401 Unauthorized.
- Check the protected API request log or request inspector for the received header.
$ cat protected-api.log GET /protected HTTP/1.1 Authorization: Bearer <redacted> -> 200 GET /protected HTTP/1.1 Authorization: <none> -> 401
The passing sampler should show the bearer header and an authorized response. The control sampler should show no Authorization header and an unauthorized response.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.