The OAuth 2.0 Authorization Framework: Bearer Token Usage

This section contains the generic implementation of RFC6750.

Guide on Bearer Token

Bearer token is used in OAuth 2.0 framework to protect resources. You need to implement the missing methods of BearerTokenValidator before using it. Learn how to use it in Protect Resources.

API Reference

class authlib.specs.rfc6750.BearerTokenValidator(realm=None)
Parameters:token_string – A string to represent the access_token.
class authlib.specs.rfc6750.BearerToken(access_token_generator, refresh_token_generator=None, expires_generator=None)

Bearer Token generator which can create the payload for token response by OAuth 2 server. A typical token response would be:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

  • access_token_generator – a function to generate access_token.
  • refresh_token_generator – a function to generate refresh_token, if not provided, refresh_token will not be added into token response.
  • expires_generator

    The expires_generator can be an int value or a function. If it is int, all token expires_in will be this value. If it is function, it can generate expires_in depending on client and grant_type:

    def expires_generator(client, grant_type):
        if is_official_client(client):
            return 3600 * 1000
        if grant_type == 'implicit':
            return 3600
        return 3600 * 10


When BearerToken is initialized, it will be callable:

token_generator = BearerToken(access_token_generator)
token = token_generator(client, grant_type, expires_in=None,
            scope=None, include_refresh_token=True)

The callable function that BearerToken created accepts these parameters:

  • client – the client that making the request.
  • grant_type – current requested grant_type.
  • expires_in – if provided, use this value as expires_in.
  • scope – current requested scope.
  • include_refresh_token – should refresh_token be included.

Token dict


default expires_in value

GRANT_TYPES_EXPIRES_IN = {'authorization_code': 864000, 'client_credentials': 864000, 'implicit': 3600, 'password': 864000}

default expires_in value differentiate by grant_type