Why should I send token in `Authorization: Bearer ` header?

Question

I am new to API development. Currently I pass my access/auth token in request body. For eaxmple,

{
status:true,
token:"<thetoken>"
}

But, When I refer about API security, They use Authorization header to pass the token.

My question is, What will happen or Whats wrong, If I send token in request body?

-- Thank you ❤ ---

Answer 1

First of all, securing API endpoints is a solved task. Instead of inventing your own authorization protocol, I suggest you to have a look at already existing industry standards like the OAuth 2.0 Authorization Framework (RFC 6749).

Following standards makes sense for multiple reasons:

• they are widely known and battle tested
• reference implementations and libs are available
• you can stand on the shoulders of giants and focus on your business logic
• etc.

However, there is nothing wrong with sending an access token in a request body. In RFC 6750 the OAuth 2.0 protocol defines all possible bearer token usages including sending the token as a Form-Encoded Body Parameter. Make sure to read carefully and take the security considerations into account.

Long story short: It does not really matter how you hand around access token, as long as you follow the standards.