[aaronbrager]

The “bearer” prefix indicates the token is a “bearer” type token, as defined in RFC6750. As opposed to, for example, a “mac” token type.

The bearer token can be a JWT, but can also be a different format of bearer token as long as it conforms to the requirements in the spec (ie, only certain characters are allowed).

A “bearer” token means whoever has the token has authorization to perform the action. (Section 1.2 of the RFC goes into more details.)

[pbreit]

Isn't that just fancy phrasing for a username/password?

Most APIs just have you set a key in the "Authorization" header. I don't get what value the "Bearer " prefix adds.

That RFC is strange and seems it can be summarized in one line:

Include header "Authorization: Bearer [API key]" for authenticating API calls.

[jorams]

The specified (rfc7235) syntax of the Authorization header is that it starts with an authentication scheme, followed by the parameters for that scheme. "Bearer" is one of those schemes. "Basic" and "Digest" are others.

[dreyfan]

> Isn't that just fancy phrasing for a username/password?

Not quite. username/password authenticate who or what something is; bearer tokens permit what actions can be taken by the holder of that token, and tend to be short-lived in nature and ideally for very specific actions.