OAuth logoI’ve published draft 06 of the OAuth Bearer Token Specification. It contains the following changes:

  • Changed parameter name bearer_token to access_token, per working group consensus.
  • Changed HTTP status code for invalid_request error code from HTTP 401 (Unauthorized) back to HTTP 400 (Bad Request), per input from HTTP working group experts.

It doesn’t change the use of 403 (Forbidden) to (401) Unauthorized as had been discussed as a possibility, also due to input from the same HTTP working group experts.

The draft is available at these locations: