so you might have already seen authorization headers and http requests that look like this bearer space token and today we're actually going to going to discuss what are these mirror tokens so the easiest way to understand this is by making an example so let's suppose you're walking around the streets and you have some cash with you yeah five dollars okay so you walk around and for whatever reason you lose these five dollars okay you just drop them on the ground or someone robs you or whatever yeah so now this person has the money and the person with the cash can now go to a store and buy some stuff right so the store is not going to ask hey is this actually your money or how did you obtain this money and the person can just go there and use the money and this is exactly what bureau tokens are so bearer token is a token where any ever anyone in possession of the token can use it okay it's similar to cash he who has the cash can just use it however he or she likes you don't need to prove like at least in most cases where you got the cash from and this is what beer tokens are now of course this is a very simple form of authorization which also has like some downsides right so if you don't have to prove that it's actually your token or that you got the token and then someone else might just steal it and use it so if we go back to the it world then if someone is able to obtain like this token then you have a data breach because then server b is going to think oh yeah okay this is definitely server a even though it's not and there's like a few other or like there's a few ways on how you can handle this one way i just quickly wanted to go over is something called proof of possession so in our example this would mean that you can't just directly use the cash but you would actually need to tell the store owner or you need to prove to the store owner that this is the cash you have legitimately obtained now this is probably where the metaphor a little bit ends because this is like not how reality really is but in the it world this usually works with some form of certificates so you have some every party generates like a private key and a public key you generate certificates you exchange certificates and then you use like this token and only he who can prove that he has the private key of the respective certificate can actually use this token but i don't want to go into detail here too much because i will make a dedicated video about this specifically in the oauth world so how do you implement like mutual tls and how do you make sure that only he who has who is in possession of a specific private key can use it yeah but the idea is clear yeah so every server generates like a key pair a private and a public key then everybody creates like a certificate from the from their respective public key then people swap certificates and then you somehow have to prove that you are in possession of the private key to the respective other party before you can use it so that would for example be a proof of possession of course as you have seen this would make things a little bit more complicated just imagine if you buy like some gum for like 50 cents you would need to prove to the store owner where you get the 50 cents from that's sort of a little bit complicated but in high security environments like this proof of possession uh notions makes a lot of sense cool so i hope it's clear what bureau tokens are stay tuned and make sure to check out my future videos for mutual tls where i will elaborate on proof of position and yeah if you have any questions just let me know leave a like and subscribe to the channel and i'll see you next one bye