TL;DR: JWTs describe token format while bearer tokens describe how credentials are transmitted, and the two are often combined in OAuth 2.0 and OpenID Connect flows, according to Descope. The distinction matters because possession of a bearer token grants access, so revocation, storage, and validation choices shape security outcomes far more than syntax does.
At a glance
What this is: This is a developer explainer that separates JWT token format from bearer token transport and shows how the two are commonly combined in API authentication.
Why it matters: It matters because IAM teams need to understand where possession-based access increases blast radius across human sessions, NHI secrets, and API-driven workloads.
👉 Read Descope's explanation of JWT and bearer token differences
Context
JWT and bearer token are not the same thing. A bearer token is the transport and authorization scheme, while a JWT is a compact token format that can carry claims. For identity programmes, the distinction matters because a token’s form does not determine its governance model, but the way it is handled does.
That matters across API security, workload identity, and non-human identity governance. A bearer credential can be replayed by whoever holds it, which means storage, expiry, revocation, and validation controls carry more weight than the token label itself.
Key questions
Q: How should security teams choose between JWTs and opaque tokens for APIs?
A: Choose JWTs when distributed validation, low latency, and stateless scale matter most. Choose opaque tokens when revocation speed, centralized session control, or claim privacy is more important. The right answer depends on how quickly access must be withdrawn and whether the API can tolerate server-side token lookup on each request.
Q: Why do bearer tokens increase security risk in API environments?
A: Bearer tokens increase risk because possession is enough to use them. If a token is stolen from a log, browser storage, proxy trace, or automation workflow, the attacker can usually replay it until expiry or revocation. That makes token protection, transport security, and token lifetime policy critical control points.
Q: What do teams get wrong about JWT claims and authorization?
A: Teams often assume that because a JWT is signed, its claims are automatically safe to trust for long periods. In practice, claims can become stale, overly broad, or misaligned with current entitlements. The token may still validate correctly while representing access that should no longer exist.
Q: What is the difference between revocation in JWT and opaque token designs?
A: JWT revocation is usually indirect because the token is self-contained, so teams rely on short expiry, key rotation, or token introspection patterns. Opaque tokens can be revoked centrally by removing the server-side record. The practical difference is speed and control, not just format.
Technical breakdown
Bearer token transport and possession-based access
A bearer token works on a simple rule: possession is authorization. The API does not need a separate proof of identity beyond the valid token presented in the request, which is why these tokens are widely used in HTTP Authorization headers. The downside is also straightforward. If the token is intercepted, copied, or logged, it can usually be replayed until it expires or is revoked. That makes bearer tokens efficient for stateless systems, but fragile wherever secrets are exposed across clients, proxies, or automation paths.
Practical implication: protect bearer credentials as secrets, not as harmless transport metadata.
JWT structure, claims, and signature validation
A JWT is a signed container for claims such as subject, expiry, or roles. Its value comes from being self-contained, so the server can validate signature and time claims without calling back to a database for every request. That improves scale, but it also means the token’s contents must be treated as a policy input. If claims are too broad, too long-lived, or inconsistent with current access state, the system may continue to authorise actions that no longer fit the intended role.
Practical implication: align JWT claim design with the shortest workable lifetime and the narrowest workable privilege set.
JWT bearer flows versus opaque bearer tokens
JWT bearer tokens and opaque bearer tokens solve different operational problems. JWTs reduce lookup overhead and work well in distributed APIs, while opaque tokens push validation back to a server-side store, which makes immediate revocation and centralized session control easier. Many programmes combine both by using a short-lived JWT access token and a longer-lived opaque refresh token. That hybrid design is common because it balances performance with control, but it also introduces a governance boundary that teams must explicitly manage.
Practical implication: decide whether revocation speed or stateless scale is the higher priority before standardising the token pattern.
NHI Mgmt Group analysis
Bearer semantics create replayable identity risk wherever possession is enough. The article’s core distinction is not academic: once a credential can be used by anyone who holds it, the control problem shifts from authentication ceremony to token protection. That pattern is central to API security, workload access, and human session handling. Practitioners should treat bearer usage as a governance choice with clear replay risk, not as a neutral transport default.
JWT format does not solve lifecycle control. A signed token can still outlive the access state it represents, which is why expiry and claim design matter more than many teams assume. Self-contained claims help scale authorization, but they also create a lag between real-world entitlement changes and enforcement. The consequence is that governance moves from central lookups to token issuance policy, which is where many identity programmes are weakest.
Opaque tokens preserve revocation authority that JWTs distribute away. That makes them better when immediate invalidation, session centralization, or privacy of claims is the operational requirement. The broader identity lesson is that token choice is really a control-plane decision about where trust is stored and how quickly it can be withdrawn. Teams should choose formats based on governance mechanics, not developer convenience.
Token architecture now sits at the intersection of human IAM and NHI governance. Human sessions, service accounts, and API clients all rely on credentials that can be replayed if exposed, but the recovery model differs by actor type. The same design question recurs across the stack: how do you constrain possession-based access when the credential may be copied, cached, or forwarded outside the intended boundary? Practitioners should standardise controls by actor type rather than by token label.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to SailPoint.
- That same governance blind spot is why teams should compare token architecture with the Ultimate Guide to NHIs and the boundaries of identity lifecycle control.
What this signals
Token choice is increasingly a governance boundary, not just an implementation detail. As APIs, service accounts, and AI-enabled workflows all rely on possession-based credentials, the next wave of identity work will focus less on token syntax and more on revocation authority, claim freshness, and session containment. Teams that cannot explain where a credential is validated and where it is revoked will struggle to govern either human or non-human access responsibly.
Bearer semantics expose the same control question across IAM and NHI programmes. If a credential can be copied and replayed, then storage, expiry, and transport hygiene become the real security model. That is why organisations should align token design with the identity type they are protecting, rather than assuming one pattern fits user sessions, workload access, and automation alike.
The practical signal is simple: if your programme cannot revoke access quickly enough to match compromise or role change, the token model is already out of alignment. This is where possession-based access intersects with broader identity governance, because the control gap appears first in the credential layer and only later in the incident report.
For practitioners
- Classify every bearer credential as replayable access Map which API keys, access tokens, and session artifacts grant access purely by possession, then treat those items as high-value secrets with stricter storage and transport controls. This is especially important where bearer semantics cross service boundaries or enter automation paths.
- Use short-lived JWTs only where claim freshness is acceptable Set expiry to match the shortest operational window that still supports the workflow, and avoid embedding permissions that change frequently. Short-lived tokens reduce exposure, but they do not remove the need for revocation planning.
- Prefer opaque tokens when revocation must be immediate Use server-side token stores when logout, role change, or compromise response must take effect right away. Centralized session state gives you an enforcement point that self-contained tokens do not provide.
- Separate access-token and refresh-token governance Design the refresh path as a distinct control surface, with tighter storage, stronger monitoring, and clearer rotation rules than the access token. Hybrid patterns only work when the long-lived credential is governed more strictly than the short-lived one.
Key takeaways
- Bearer tokens and JWTs solve different problems, so treating them as interchangeable weakens identity design.
- The main security issue is possession-based replay, which makes storage, expiry, and revocation policy central controls.
- Teams should choose token patterns based on governance needs, especially how quickly access must be withdrawn.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Bearer tokens are replayable secrets that must be protected and rotated. |
| NIST CSF 2.0 | PR.AC-4 | Token validation and authorization decisions map to access control enforcement. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Possession-based access needs continuous trust verification under zero trust. |
Treat bearer tokens as high-value NHI secrets and align rotation and storage with NHI-03.
Key terms
- Bearer Token: A bearer token is a credential that grants access to whoever possesses it. In practice, that means the token must be treated as a replayable secret because the server does not require additional proof that the caller is the original holder.
- JWT: A JWT, or JSON Web Token, is a compact, signed token format that carries claims about a subject or session. It is self-contained, which makes it efficient for distributed authentication, but it also means the claims can outlive the access state they describe.
- Opaque Token: An opaque token is a non-decodable identifier whose meaning lives only on the server side. It is useful when teams need central revocation, shorter trust chains, or privacy over claim contents, because validation requires a lookup rather than local decoding.
- Claim Freshness: Claim freshness is the degree to which the data inside a token still matches current entitlement state. When claims become stale, a token can remain technically valid while authorizing actions that no longer fit policy or business reality.
What's in the full article
Descope's full blog post covers the implementation detail this post intentionally leaves at the concept level:
- Step-by-step examples of how JWTs are encoded, signed, and validated in common API flows
- Code snippets showing bearer-token handling in request headers, cookies, and query parameters
- Practical comparisons of short-lived JWT access tokens versus opaque refresh tokens for revocation control
- A hybrid authentication flow example that combines self-contained access tokens with server-side session state
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-12-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org