As an app developer, you need to include an access token in any request to Apigee for a
protected resource (an API that is protected with a VerifyAccessToken policy). Note that access
tokens are also called bearer tokens.
Sending an access token in a request
When you put a VerifyAccessToken policy at the front of your API proxy flow, apps must present
a verifiable access token (also called a bearer token) to consume
your API. To do this, the app sends the access token in the request as
an Authorization HTTP header.
Apigee will verify that the access token presented is valid, and then grant access to the
API, returning the response to the app that made the request.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis content applies to both Apigee and Apigee hybrid platforms.\u003c/p\u003e\n"],["\u003cp\u003eApp developers must include an access token, also referred to as a bearer token, in requests to access protected resources on Apigee.\u003c/p\u003e\n"],["\u003cp\u003eThe access token is sent in the request as an Authorization HTTP header.\u003c/p\u003e\n"],["\u003cp\u003eApigee verifies the validity of the presented access token before granting API access and returning a response.\u003c/p\u003e\n"]]],[],null,["# Sending an access token\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nAs an app developer, you need to include an access token in any request to Apigee for a\nprotected resource (an API that is protected with a VerifyAccessToken policy). Note that access\ntokens are also called *bearer tokens*.\n\nSending an access token in a request\n------------------------------------\n\nWhen you put a VerifyAccessToken policy at the front of your API proxy flow, apps must present\na verifiable **access token** (also called a *bearer token* ) to consume\nyour API. To do this, the app sends the access token in the request as\nan **Authorization HTTP header**.\n\nFor example: \n\n```\n$ curl -H \"Authorization: Bearer ylSkZIjbdWybfs4fUQe9BqP0LH5Z\" http://{org_name}-test.apigee.net/weather/forecastrss?w=12797282\n```\n\nApigee will verify that the access token presented is valid, and then grant access to the\nAPI, returning the response to the app that made the request.\n\nRelated information\n-------------------\n\nFor information on obtaining an access token, see [Get OAuth 2.0 tokens](/apigee/docs/api-platform/security/oauth/access-tokens).\n\nFor information on verifying access tokens, see [Verifying access tokens](/apigee/docs/api-platform/security/oauth/using-access-tokens)."]]
