Where to Send Auth Token in Request: Best Practices
Send the authentication token in the
Authorization header of the HTTP request using the Bearer scheme. This is the standard and most secure way to pass tokens in REST API calls.Syntax
The authentication token is sent in the Authorization header with the format:
Authorization: Bearer <token>
Here, Bearer is the type of token, and <token> is your actual token string.
http
GET /api/resource HTTP/1.1
Host: example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Example
This example shows how to send an auth token in a GET request using Python's requests library.
python
import requests url = 'https://api.example.com/data' token = 'abc123xyz456' headers = { 'Authorization': f'Bearer {token}' } response = requests.get(url, headers=headers) print('Status code:', response.status_code) print('Response body:', response.text)
Output
Status code: 200
Response body: {"data": "Here is your protected data."}
Common Pitfalls
- Sending the token in the URL query parameters can expose it in logs and browser history, which is insecure.
- Omitting the
Bearerprefix in theAuthorizationheader may cause the server to reject the token. - Placing the token in a cookie without proper security flags can lead to CSRF attacks.
http
Wrong way (in URL): GET /api/data?token=abc123xyz456 HTTP/1.1 Right way (in header): GET /api/data HTTP/1.1 Authorization: Bearer abc123xyz456
Quick Reference
Remember these key points when sending auth tokens:
- Always use the
Authorizationheader. - Prefix the token with
Bearerand a space. - Do not send tokens in URLs or unprotected cookies.
Key Takeaways
Send auth tokens in the Authorization header using the Bearer scheme.
Never include tokens in URL query parameters to avoid security risks.
Always prefix the token with 'Bearer ' followed by a space.
Use secure headers to protect tokens from exposure.
Avoid sending tokens in cookies unless properly secured.