I'm seeing a lot more APIs adding the "Bearer " prefix which I don't really understand. What's the point of it? This particular one doesn't even look like a "conventional" bearer token in the JWT sense.
The “bearer” prefix indicates the token is a “bearer” type token, as defined in RFC6750. As opposed to, for example, a “mac” token type.
The bearer token can be a JWT, but can also be a different format of bearer token as long as it conforms to the requirements in the spec (ie, only certain characters are allowed).
A “bearer” token means whoever has the token has authorization to perform the action. (Section 1.2 of the RFC goes into more details.)
The specified (rfc7235) syntax of the Authorization header is that it starts with an authentication scheme, followed by the parameters for that scheme. "Bearer" is one of those schemes. "Basic" and "Digest" are others.
> Isn't that just fancy phrasing for a username/password?
Not quite. username/password authenticate who or what something is; bearer tokens permit what actions can be taken by the holder of that token, and tend to be short-lived in nature and ideally for very specific actions.
Bearer tokens precede JWT and it's part of the Authorization header.
For authentication & authorization, the caller sends a bearer token. The format of the token is known to both parties and the server knows how to validate it.
It's better than username password combos because (1) not every "account" has a password, (2) tokens can and generally do expire, (3) it's not tied to the password if the password changes the tokens continue to be valid, (4) the user can invalidate the tokens of their choice, (5) you can grant restricted permissions to a token. You can do more or less things with tokens based on the needs of the application but it decoupling it from password gives you additional security and flexibility.
Is there? If it's a custom token type, the serverside will never break with it. The client generally wants the caller to provide the "Bearer" string as well; can it break without it?
The bearer token can be a JWT, but can also be a different format of bearer token as long as it conforms to the requirements in the spec (ie, only certain characters are allowed).
A “bearer” token means whoever has the token has authorization to perform the action. (Section 1.2 of the RFC goes into more details.)