[pbreit]

Isn't that just fancy phrasing for a username/password?

Most APIs just have you set a key in the "Authorization" header. I don't get what value the "Bearer " prefix adds.

That RFC is strange and seems it can be summarized in one line:

Include header "Authorization: Bearer [API key]" for authenticating API calls.

[jorams]

The specified (rfc7235) syntax of the Authorization header is that it starts with an authentication scheme, followed by the parameters for that scheme. "Bearer" is one of those schemes. "Basic" and "Digest" are others.

[dreyfan]

> Isn't that just fancy phrasing for a username/password?

Not quite. username/password authenticate who or what something is; bearer tokens permit what actions can be taken by the holder of that token, and tend to be short-lived in nature and ideally for very specific actions.