Sending an access token

As an app developer, you need to include an access token in any request to Apigee for a protected resource (an API that is protected with a VerifyAccessToken policy). Note that access tokens are also called bearer tokens.

Sending an access token in a request

When you put a VerifyAccessToken policy at the front of your API proxy flow, apps must present a verifiable access token (also called a bearer token) to consume your API. To do this, the app sends the access token in the request as an Authorization HTTP header.

For example:

$ curl -H "Authorization: Bearer ylSkZIjbdWybfs4fUQe9BqP0LH5Z" http://{org_name}-test.apigee.net/weather/forecastrss?w=12797282

Apigee will verify that the access token presented is valid, and then grant access to the API, returning the response to the app that made the request.

Related information

For information on obtaining an access token, see Requesting tokens and auth codes.

For information on verifying access tokens, see Verifying access tokens.