How to use a bearer token with PHP cURL

Bearer-token APIs reject PHP cURL requests when the Authorization header is missing, malformed, or exposed in the wrong part of the request. Supplying the token as an HTTP header keeps the credential out of the URL and lets the API authorize the request before returning protected JSON.

PHP cURL sends custom HTTP headers through CURLOPT_HTTPHEADER. For a bearer-protected API, the request usually needs Authorization: Bearer <token> plus an Accept or Content-Type header that matches the endpoint's response or payload format.

Keep access tokens out of committed source files, query strings, and copied terminal transcripts. Use HTTPS for real API calls, keep certificate verification enabled, and avoid forwarding the same custom headers to redirect targets you do not control.

Steps to use a bearer token with PHP cURL:

Confirm the PHP cURL extension is loaded.
```
$ php -r 'var_export(extension_loaded("curl")); echo PHP_EOL;'
true
```
If this prints false, install or enable the PHP cURL extension for the PHP runtime that runs the script before testing the request.

Export the protected API URL for the current shell.

$ export API_URL='https://api.example.com/v1/profile'

Export the bearer token for the current shell.
```
$ export API_BEARER_TOKEN='eyJhbGciOi...redacted'
```
Do not paste production tokens into shared terminals, committed shell scripts, screenshots, or issue trackers. Use your application's secret manager or environment injection path for deployed code.

Create the PHP request script.

bearer-request.php

<?php
$url = getenv('API_URL');
$token = getenv('API_BEARER_TOKEN');
 
if ($url === false || $url === '' || $token === false || $token === '') {
    fwrite(STDERR, "API_URL and API_BEARER_TOKEN must be set" . PHP_EOL);
    exit(1);
}
 
$ch = curl_init($url);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        'Accept: application/json',
        'Authorization: Bearer ' . $token,
    ],
    CURLOPT_TIMEOUT => 10,
]);
 
$body = curl_exec($ch);
 
if ($body === false) {
    fwrite(STDERR, 'cURL error: ' . curl_error($ch) . PHP_EOL);
    curl_close($ch);
    exit(1);
}
 
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
 
echo "HTTP {$status}" . PHP_EOL;
echo $body . PHP_EOL;
 
if ($status < 200 || $status >= 300) {
    exit(1);
}

CURLOPT_RETURNTRANSFER keeps the response in $body so the script can inspect the HTTP status before printing the API response. PHP also exposes CURLAUTH_BEARER and CURLOPT_XOAUTH2_BEARER on supported builds, but an explicit Authorization: Bearer header matches API documentation that asks for that header on the first request.

Run the request script.
```
$ php bearer-request.php
HTTP 200
{
    "authenticated": true,
    "scope": "profile:read",
    "user": "api-reader"
}
```
A 2xx status plus the expected protected resource shows that the API received and accepted the Authorization header.
Clear the temporary environment variables when the manual test is finished.
```
$ unset API_BEARER_TOKEN API_URL
```

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.