Bearer Token

A bearer token is a type of access credential included in HTTP requests to authenticate the caller. The term "bearer" means that anyone who possesses (bears) the token is granted access, with no additional proof of identity required. Bearer tokens are transmitted in the Authorization HTTP header using the format Authorization: Bearer <token>.

Why It Matters

Bearer tokens are the standard authentication mechanism for AI gateways, model provider APIs, and internal service communication. In a reverse proxy architecture, the wrapper injects a bearer token into every request forwarded to the AI gateway, so users can access the control UI and chat interfaces without needing to know the token themselves. This pattern centralizes authentication at the proxy layer and simplifies the user experience while maintaining security.

How It Works

When a client sends a request, it includes the bearer token in the Authorization header. The receiving server extracts the token, validates it against a stored value or cryptographic signature, and either grants or denies access. Unlike session cookies, bearer tokens are stateless: the server does not need to maintain session state, making them ideal for API communication between services.

In AI assistant deployments, the gateway token is generated during onboarding and stored both as an environment variable and in the gateway configuration file. The reverse proxy injects this token into every proxied HTTP request and WebSocket upgrade, ensuring seamless authentication for all traffic passing through to the gateway.

In Practice

Always transmit bearer tokens over HTTPS to prevent interception. Store tokens in environment variables rather than hardcoding them in source code. Use a stable token value across redeployments by setting it as a persistent environment variable. If a token is compromised, rotate it immediately by updating the environment variable and restarting the gateway to sync the new value.