AUTHENTICATION
Bearer Token
Adds an Authorization: Bearer <token> header to your request. The most common auth method for JWT-based APIs.
How It Works
Bearer token authentication sends a token in the Authorization header. The server validates the token without needing to look up credentials on every request.
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Commonly used with:
Configuration
Select Bearer Token from the Auth type dropdown. A single field appears:
| Field | Description |
|---|---|
| Token | The bearer token value (JWT, access token, API key, etc.) |
API Studio automatically prepends Bearer — just paste the raw token, not the full header value.
Variable Support
The token field supports {{variable}} placeholders resolved from environments, vault secrets, or collection variables.
Token: {{access_token}}
This is especially powerful when combined with Set Variables — extract a token from a login response and store it in the environment, then reference it in subsequent requests with {{access_token}}.
Examples
Token from environment variable
Auth Type: Bearer Token
Token: {{auth_token}}
Environment (Production):
auth_token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
→ Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Token from vault secret
Auth Type: Bearer Token
Token: {{api_secret}}
Vault Secret Set:
api_secret → maps to vault key "prod-api-token"
→ Token resolved from encrypted vault
→ Automatically scrubbed from history files
Dynamic token with Set Variables
Step 1 — Login request (POST /auth/login):
Set Variable: access_token = $.token (JSONPath)
→ Extracts token from response, saves to environment
Step 2 — Protected request (GET /api/users):
Auth Type: Bearer Token
Token: {{access_token}}
→ Uses the token extracted in Step 1
Security Note
Auth credentials appear in multiple places:
- Actual Request tab — shows resolved auth headers with real values
- Code Export — generated code includes resolved auth values
- History — saved request headers contain injected auth (scrubbed only if from vault)
- collections.json — auth config saved in plain text (committed to git)
Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.