Step 2
In token-based authorization, the client is expected to send their token along with every request (for a "protected" resource) to the backend. The token can be included in the request as a query parameter or part of the payload. However, it is more common to enclose it as an Authorization header.
According to MDN:
The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource.
The client must set the Authorization header when making requests to protected resources:
Authorization: Bearer <token>
Notice the keyword Bearer
ahead of the <token>
.
The name "Bearer" can be understood as "give access to the bearer of this token."
The bearer token is an encoded string (such as JWT), usually generated by the server in response to a login request. The bearer schema was created initially as part of OAuth 2.0 in RFC 6750.
The following GIF animation shows how to set the authorization header in Postman.