Skip to content
Latchkey

curl Bearer Token Auth: Authorization Header

Token auth is just a header, and getting the format exactly right matters.

Most modern APIs, including GitHub, authenticate with a bearer token in the Authorization header. There are two clean ways to send it.

What it does

Bearer auth sends Authorization: Bearer <token>. You can set it directly with -H, or use --oauth2-bearer <token> which builds the same header for you (curl 7.61+). The token is a secret, so it should come from an environment variable, not be hardcoded.

Common usage

Terminal
curl -H "Authorization: Bearer $TOKEN" https://api.example.com/x
curl --oauth2-bearer "$TOKEN" https://api.example.com/x   # curl 7.61+
# GitHub API
curl -H "Authorization: Bearer $GITHUB_TOKEN" \
     -H 'Accept: application/vnd.github+json' \
     https://api.github.com/repos/owner/repo/actions/runners

Flags

FlagWhat it does
-H "Authorization: Bearer $T"Standard, portable way to send a token
--oauth2-bearer <token>Build the bearer header for you (curl 7.61+)
-u <user>:<pass>Basic auth instead, for older APIs
-H 'Accept: application/vnd.github+json'GitHub API media type

In CI

Use the double-quote form so $TOKEN expands. Never echo the token; with -v, curl redacts the Authorization value in newer versions but not all, so avoid -v in logs that persist. On GitHub Actions, ${{ secrets.X }} or the built-in GITHUB_TOKEN both work as the env value.

Common errors in CI

A 401 Bad credentials from the GitHub API means the token is wrong, expired, or lacks scopes. A 403 with a rate-limit message means you are unauthenticated or throttled; confirm the header reached the server with curl -v while not exposing the value.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →