How to authenticate with a bearer token in wget

Bearer tokens let wget call a protected API without sending a reusable account password on every request. That is the normal pattern for OAuth access tokens, short-lived service tokens, and other delegated credentials that already exist before the download or API call begins.

In wget, bearer auth is just an Authorization header in the form Bearer <token>. The mechanics are small but strict: load the token from a restricted source, send it with --header, and confirm that the response is an authenticated payload rather than a 401 Unauthorized or 403 Forbidden error.

Tokens stay sensitive for as long as the server accepts them. Avoid printing them into shared terminals, avoid collecting verbose logs that include the header, and clear them from the shell or config files once the request finishes or the token expires. The examples below keep masked service-identity claims and a redacted signature so the bearer-token shape stays realistic without exposing a reusable credential.

Steps to authenticate with a bearer token in wget:

Load the token from a restricted file or secret source before building the request.
```
$ ACCESS_TOKEN="$(tr -d '\n' < ~/.config/wget/bearer.token)"
$ printf 'Loaded %s-byte token\n' "${#ACCESS_TOKEN}"
Loaded 148-byte token
```
Reading from a private file or secret source is safer than pasting production tokens directly into shell history.

Send the token in the Authorization header and confirm that the endpoint accepts it.

$ wget -S -O - \
  --header="Authorization: Bearer ${ACCESS_TOKEN}" \
  https://httpbin.org/bearer 2>&1
##### snipped #####
  HTTP/1.1 200 OK
{
  "authenticated": true,
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdmMtd2dldC1yZWFkZXIiLCJzY29wZSI6ImRhdGE6cmVhZCIsImF1ZCI6ImFwaS5leGFtcGxlLm5ldCJ9.signature-redacted"
}

A clean success response confirms that the bearer header format matches what the protected endpoint expects.

Echo the final header value separately when the endpoint returns an unexpected application error.

$ wget -qO- \
  --header="Authorization: Bearer ${ACCESS_TOKEN}" \
  https://httpbin.org/headers | jq -r '.headers.Authorization'
Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdmMtd2dldC1yZWFkZXIiLCJzY29wZSI6ImRhdGE6cmVhZCIsImF1ZCI6ImFwaS5leGFtcGxlLm5ldCJ9.signature-redacted

A header echo check isolates formatting mistakes before deeper API troubleshooting starts.

Store the header in a restricted config file only when repeated invocations need the same token.

$ mkdir -p ~/.config/wget
$ printf 'header = Authorization: Bearer %s\n' "${ACCESS_TOKEN}" > ~/.config/wget/bearer.conf
$ chmod 600 ~/.config/wget/bearer.conf
$ wget -qO- --config=~/.config/wget/bearer.conf \
  https://httpbin.org/headers | jq -r '.headers.Authorization'
Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdmMtd2dldC1yZWFkZXIiLCJzY29wZSI6ImRhdGE6cmVhZCIsImF1ZCI6ImFwaS5leGFtcGxlLm5ldCJ9.signature-redacted

A token saved in a config file becomes persistent local state, so file permissions and cleanup matter as much as the request syntax.

Clear the token from the current shell when the request batch is complete.
```
$ unset ACCESS_TOKEN
$ printf '%s\n' "${ACCESS_TOKEN:-}"
```
Removing the shell variable prevents accidental reuse in later commands, but copied logs and saved config files still need separate cleanup.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.