Sending an access token
This pageapplies toApigee andApigee hybrid.
View Apigee Edge documentation.
As an app developer, you need to include an access token in any request to Apigee for a protected resource (an API that is protected with a VerifyAccessToken policy). Note that access tokens are also calledbearer tokens.
Sending an access token in a request
When you put a VerifyAccessToken policy at the front of your API proxy flow, apps must present a verifiableaccess token (also called abearer token) to consume your API. To do this, the app sends the access token in the request as anAuthorization HTTP header.
For example:
$ curl -H "Authorization: Bearer ylSkZIjbdWybfs4fUQe9BqP0LH5Z" http://{org_name}-test.apigee.net/weather/forecastrss?w=12797282Apigee will verify that the access token presented is valid, and then grant access to the API, returning the response to the app that made the request.
Related information
For information on obtaining an access token, seeGet OAuth 2.0 tokens.
For information on verifying access tokens, seeVerifying access tokens.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.