Using and generating an app-only Bearer Token

A bearer token allows developers to have a more secure point of entry for using the X APIs, and are one of the core features of OAuth 2.0.  Authentication, which uses a Bearer Token, is also known as application-only authentication. A Bearer Token is a byte array of unspecified format that you generate using a script like a curl command. You can also obtain a Bearer Token from the developer portal inside the keys and tokens section of your App’s settings. More information about this feature can be found on OAuth’s official documentation.

When are they used?

The products that require the use of a Bearer Token are as follows:

Prerequisites

You will need to sign up for a developer account and to have created a X App. Once you have those, you’ll also need to obtain the API keys found in the developer portal. Follow the steps below:
  1. Login to your X account on developer.x.com.
  2. Navigate to the X App dashboard and open the X App for which you would like to generate access tokens.
  3. Navigate to the “keys and tokens” page.
  4. You’ll find the API keys, user Access Tokens, and Bearer Token on this page.

How to generate a Bearer Token

You can find the Bearer Token for your App with the rest of your “Keys and Tokens”. Copy the following cURL request into your command line after making changes to the following consumer API keys previously obtained from your X App. Note that the consumer API keys used on this page have been decommissioned and will not work for real requests.
  • API key <API key> e.g.xvz1evFS4wEEPTGEFPHBog
  • API secret key <API secret key> e.g. L8qq9PZyRg6ieKGEKhZolGC0vJWLw8iEJ88DRdyOg 
    curl -u "$API_KEY:$API_SECRET_KEY" \
--data 'grant_type=client_credentials' \
'https://api.x.com/oauth2/token'
Here’s an example of how the curl request should look with your API keys entered: 
curl -u 'xvz1evFS4wEEPTGEFPHBog:L8qq9PZyRg6ieKGEKhZolGC0vJWLw8iEJ88DRdyOg' \
--data 'grant_type=client_credentials' \
'https://api.x.com/oauth2/token'
Here is what the response would look like. Note that this is a decommissioned Bearer Token: {"token_type":"bearer","access_token":"AAAAAAAAAAAAAAAAAAAAAMLheAAAAAAA0%2BuSeid%2BULvsea4JtiGRiSDSJSI%3DEUifiRBkKG5E2XzMDjRfl76ZC9Ub0wnz4XsNiRVBChTYbJcE3F"} Our Bearer Token used to authenticate to resources with OAuth 2.0 would be: AAAAAAAAAAAAAAAAAAAAAMLheAAAAAAA0%2BuSeid%2BULvsea4JtiGRiSDSJSI%3DEUifiRBkKG5E2XzMDjRfl76ZC9Ub0wnz4XsNiRVBChTYbJcE3F