What is Bearer token?

A bearer token is a string credential whose defining property is in its name: any party that bears (holds) the token can use it, no additional proof of identity required. It is presented on each request in the HTTP header Authorization: Bearer <token>, and the server validates it and grants the associated access. For remote MCP servers, bearer tokens are the lightweight authentication path: instead of running a user through an interactive OAuth 2.1 sign-in, you generate an API key or token once and configure the client to send it as a bearer header on every call. This is convenient for machine-to-machine setups, CI, or single-user tooling where a browser consent flow is overkill. The tradeoff is that a bearer token is a long-lived secret, anyone who obtains it has full access until it is revoked, so it must travel only over TLS, be stored out of plaintext config where possible, and be scoped and rotatable. OAuth-issued access tokens are also bearer tokens, but they are short-lived and refreshable, which is why the MCP spec prefers full OAuth for multi-user products and treats static bearer tokens as the simpler option for narrower cases.