← Back to Overview

AUTHENTICATION

Bearer Token

Adds an Authorization: Bearer <token> header to your request. The most common auth method for JWT-based APIs.

How It Works

Bearer token authentication sends a token in the Authorization header. The server validates the token without needing to look up credentials on every request.

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Commonly used with:

JWT tokens OAuth 2.0 access tokens Personal access tokens API tokens

Configuration

Select Bearer Token from the Auth type dropdown. A single field appears:

FieldDescription
TokenThe bearer token value (JWT, access token, API key, etc.)

API Studio automatically prepends Bearer — just paste the raw token, not the full header value.

Variable Support

The token field supports {{variable}} placeholders resolved from environments, vault secrets, or collection variables.

Token: {{access_token}}

This is especially powerful when combined with Set Variables — extract a token from a login response and store it in the environment, then reference it in subsequent requests with {{access_token}}.

Examples

Token from environment variable

Auth Type: Bearer Token
Token:     {{auth_token}}

Environment (Production):
  auth_token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."

→ Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

Token from vault secret

Auth Type: Bearer Token
Token:     {{api_secret}}

Vault Secret Set:
  api_secret → maps to vault key "prod-api-token"

→ Token resolved from encrypted vault
→ Automatically scrubbed from history files

Dynamic token with Set Variables

Step 1 — Login request (POST /auth/login):
  Set Variable: access_token = $.token (JSONPath)
  → Extracts token from response, saves to environment

Step 2 — Protected request (GET /api/users):
  Auth Type: Bearer Token
  Token:     {{access_token}}
  → Uses the token extracted in Step 1
Tip: Use Collection Runs to execute a login request followed by protected requests in sequence — the extracted token is automatically available to subsequent requests via shared environment state.

Security Note

Auth credentials appear in multiple places:

  • Actual Request tab — shows resolved auth headers with real values
  • Code Export — generated code includes resolved auth values
  • History — saved request headers contain injected auth (scrubbed only if from vault)
  • collections.json — auth config saved in plain text (committed to git)

Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.

Next

Ko-fi