How to use bearer token for authentication in wget

Bearer tokens enable authenticated access to HTTP APIs from automated download tools like wget without embedding long-lived usernames or passwords in scripts. Cron jobs, integration pipelines, and batch jobs can contact protected endpoints while keeping interactive login credentials out of shell history and configuration files.

In common OAuth 2.0 flows, an authorization server issues a short-lived access token after successful client authentication with a client ID, secret, and grant type. The client includes this token in an Authorization HTTP header using the format Authorization: Bearer <token>, and the API gateway validates the token on each request. wget accepts arbitrary HTTP headers through the --header option, so scripted downloads can attach bearer tokens in exactly the format a REST API expects.

Because bearer tokens grant the same level of access as the underlying account or application while valid, careless storage or logging can expose entire APIs or datasets. Tokens typically expire and may need renewal or refresh operations to avoid unexpected 401 Unauthorized or 403 Forbidden responses when automation runs. The commands below assume a standard Linux shell with curl and wget installed and focus on obtaining a bearer token, sending it with wget, and verifying authenticated downloads.

Steps to authenticate with bearer token in wget:

Open a terminal on a system that can reach the target API endpoint over HTTPS.
```
$ uname -srm
Linux 6.8.0-31-generic x86_64
```
Request an access token from the OAuth 2.0 authorization server using curl.
```
$ curl --data "client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=client_credentials" https://auth.example.com/oauth/token
{
  "access_token": "YOUR_ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 3600
}
```
Replace YOUR_CLIENT_ID and YOUR_CLIENT_SECRET with real client credentials for the API client application, and treat the returned access_token value as a sensitive bearer credential.

Send an authenticated HTTPS request with wget by adding the bearer token to the Authorization header.

$ wget --header="Authorization: Bearer YOUR_ACCESS_TOKEN" https://api.example.com/data -O output.json
--2025-02-20 12:34:56--  https://api.example.com/data
Resolving api.example.com (api.example.com)... 203.0.113.10
Connecting to api.example.com (api.example.com)|203.0.113.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1234 (1.2K) [application/json]
Saving to: ‘output.json’
 
output.json        100%    1.2K  --.-KB/s  in 0.01s
 
2025-02-20 12:34:56 (120 KB/s) - ‘output.json’ saved [1234/1234]

Replace YOUR_ACCESS_TOKEN with the current access_token string, and expect a 200 OK response with the requested resource when the token is valid.

Increase logging detail in wget with --debug when diagnosing authentication or header formatting problems.

$ wget --header="Authorization: Bearer YOUR_ACCESS_TOKEN" https://api.example.com/data -O output.json --debug
DEBUG output created by Wget 1.21.4 on linux-gnu.
 
--2025-02-20 12:35:10--  https://api.example.com/data
Resolving api.example.com (api.example.com)... 203.0.113.10
Connecting to api.example.com (api.example.com)|203.0.113.10|:443... connected.
Created socket 4.
Sending HTTP request.
##### snipped #####

Debug logs can contain the full Authorization header, including the bearer token, so long-term log retention or sharing raw debug output can leak credentials.

Store a reusable bearer token header in a local file for repeated wget invocations.

$ printf 'Authorization: Bearer %s\n' "YOUR_ACCESS_TOKEN" > ~/.wget_bearer_header
$ chmod 600 ~/.wget_bearer_header
$ wget --header="$(cat ~/.wget_bearer_header)" https://api.example.com/data -O output.json

Restrict the header file with chmod 600 ~/.wget_bearer_header or similar so that other local users cannot read the stored token.

Obtain a new bearer token when the current token expires or the API returns an unauthorized status.
```
$ curl --data "client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN" https://auth.example.com/oauth/token
{
  "access_token": "YOUR_NEW_ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 3600
}
```
Consult the API provider's OAuth 2.0 documentation for the exact refresh flow, because some providers issue only short-lived access tokens without refresh tokens and require a full re-authentication.
Inspect the beginning of the downloaded response file to confirm API data rather than an authentication error page.
```
$ head -n 5 output.json
{
  "items": [
    {
      "id": "123",
      "name": "example-object"
##### snipped #####
```
Successful bearer authentication is indicated by a completed wget transfer with status 200 OK, the presence of the expected output file such as output.json, and JSON content that matches the API schema instead of messages like 401 Unauthorized or 403 Forbidden.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.