curl Bearer Token Auth: Authorization Header
Token auth is just a header, and getting the format exactly right matters.
Most modern APIs, including GitHub, authenticate with a bearer token in the Authorization header. There are two clean ways to send it.
What it does
Bearer auth sends Authorization: Bearer <token>. You can set it directly with -H, or use --oauth2-bearer <token> which builds the same header for you (curl 7.61+). The token is a secret, so it should come from an environment variable, not be hardcoded.
Common usage
curl -H "Authorization: Bearer $TOKEN" https://api.example.com/x
curl --oauth2-bearer "$TOKEN" https://api.example.com/x # curl 7.61+
# GitHub API
curl -H "Authorization: Bearer $GITHUB_TOKEN" \
-H 'Accept: application/vnd.github+json' \
https://api.github.com/repos/owner/repo/actions/runnersFlags
| Flag | What it does |
|---|---|
| -H "Authorization: Bearer $T" | Standard, portable way to send a token |
| --oauth2-bearer <token> | Build the bearer header for you (curl 7.61+) |
| -u <user>:<pass> | Basic auth instead, for older APIs |
| -H 'Accept: application/vnd.github+json' | GitHub API media type |
In CI
Use the double-quote form so $TOKEN expands. Never echo the token; with -v, curl redacts the Authorization value in newer versions but not all, so avoid -v in logs that persist. On GitHub Actions, ${{ secrets.X }} or the built-in GITHUB_TOKEN both work as the env value.
Common errors in CI
A 401 Bad credentials from the GitHub API means the token is wrong, expired, or lacks scopes. A 403 with a rate-limit message means you are unauthenticated or throttled; confirm the header reached the server with curl -v while not exposing the value.