RFC 6750 — OAuth 2.0 Bearer Token Usage

Spec: datatracker.ietf.org/doc/html/rfc6750Status: Full

RFC 6750 defines how bearer tokens are presented to protected resources and how resources validate them.

Implemented

• Authorization header — Authorization: Bearer <token> is the canonical way to present access tokens to AuthHero APIs.
• JWT access tokens — AuthHero issues RS256-signed JWTs as access tokens; resource servers can validate them against the tenant's JWKS without calling AuthHero.
• Scope enforcement — protected endpoints assert required scopes against the token's scope claim.
• WWW-Authenticate responses — missing or invalid tokens yield 401 Unauthorized with a WWW-Authenticate: Bearer challenge including error and error_description.

Not implemented / out of scope

• Form-encoded body parameter and URI query parameter token delivery — these alternative transport mechanisms from RFC 6750 §2.2 and §2.3 are intentionally not supported; the Authorization header is the only accepted transport.

Related AuthHero documentation

• Tokens
• Management API Security