RFC6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage

This section contains the generic implementation of RFC6750.

Guide on Bearer Token

Bearer token is used in OAuth 2.0 framework to protect resources. You need to implement the missing methods of BearerTokenValidator before using it. Learn how to use it in Resource Server.

API Reference

class authlib.oauth2.rfc6750.BearerTokenValidator(realm=None)

A method to query token from database with the given token string. Developers MUST re-implement this method. For instance:

def authenticate_token(self, token_string):
    return get_token_from_database(token_string)
Parameters:token_string – A string to represent the access_token.

Check if the HTTP request is valid or not. Developers MUST re-implement this method. For instance, your server requires a “X-Device-Version” in the header:

def request_invalid(self, request):
    return 'X-Device-Version' in request.headers

Usually, you don’t have to detect if the request is valid or not, you can just return a False.

Parameters:request – instance of TokenRequest

Check if this token is revoked. Developers MUST re-implement this method. If there is a column called revoked on the token table:

def token_revoked(self, token):
    return token.revoked
Parameters:token – token instance
class authlib.oauth2.rfc6750.BearerToken(access_token_generator, refresh_token_generator=None, expires_generator=None)

Bearer Token generator which can create the payload for token response by OAuth 2 server. A typical token response would be:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

  • access_token_generator – a function to generate access_token.
  • refresh_token_generator – a function to generate refresh_token, if not provided, refresh_token will not be added into token response.
  • expires_generator

    The expires_generator can be an int value or a function. If it is int, all token expires_in will be this value. If it is function, it can generate expires_in depending on client and grant_type:

    def expires_generator(client, grant_type):
        if is_official_client(client):
            return 3600 * 1000
        if grant_type == 'implicit':
            return 3600
        return 3600 * 10


When BearerToken is initialized, it will be callable:

token_generator = BearerToken(access_token_generator)
token = token_generator(client, grant_type, expires_in=None,
            scope=None, include_refresh_token=True)

The callable function that BearerToken created accepts these parameters:

  • client – the client that making the request.
  • grant_type – current requested grant_type.
  • expires_in – if provided, use this value as expires_in.
  • scope – current requested scope.
  • include_refresh_token – should refresh_token be included.

Token dict


default expires_in value

GRANT_TYPES_EXPIRES_IN = {'authorization_code': 864000, 'client_credentials': 864000, 'implicit': 3600, 'password': 864000}

default expires_in value differentiate by grant_type