To obtain a bearer token through the Ory CLI, you can follow these steps: 1. Create an Ory Network project (if you haven't already):

ory create project --name "Ory OAuth2 Example"    project_id="{set to the project ID from output}"

2. Create an OAuth2 client for the Client Credentials flow:

ory create oauth2-client --project "$project_id" \        --name "Client Credentials Demo" \        --grant-type client_credentials

3. Export the client ID and secret from the output:

client_id="{set to CLIENT ID from output}"    client_secret="{set to CLIENT SECRET from output}"

4. Perform the Client Credentials flow to get the bearer token:

ory perform client-credentials --project $project_id \      --client-id=$client_id \      --client-secret=$client_secret

5. The output will include an ACCESS TOKEN, which is your bearer token. You can set it as an environment variable:

access_token="{set to ACCESS TOKEN from output}"

Now you have a bearer token that you can use for authentication in subsequent requests. To verify the token, you can use the introspection command:

ory introspect token --project $project_id $access_token

This process is described in the [Run your own OAuth2 Server](https://www.ory.sh/blog/run-oauth2-server-open-source-api-security) blog post and the [Try common OAuth2 Grants](https://www.ory.sh/docs/getting-started/ory-network-oauth2) documentation.

You're correct in noticing that the ACCESS TOKEN doesn't look like a typical bearer token. In Ory's case, the access tokens have a specific format. Let me explain: Ory uses opaque access tokens by default, which are prefixed with

ory_at_

. This is a security feature designed to make the tokens more identifiable and secure. According to the [Identifiable token formats](https://www.ory.sh/docs/security-compliance/token-formats) documentation: > Ory prefixes its access tokens, refresh tokens, and authorization codes with identifiable strings, making it easy for security scanners to identify leaked tokens. These prefixes are: > > - `ory_at_`: OAuth 2.0 Access Token So, when you receive an access token from Ory, it will look something like this:

ory_at_GVG1AhpykEgTHBvsgzT4T4u7Xz6VzCw9zDZllX4y_94.Szlmx_66Sj51---BrjL8muA-8tUeSf43G8zfalQgiSQ

This is still a bearer token, but with Ory's specific format. When using this token for authentication, you would still include it in the Authorization header as a Bearer token:

Authorization: Bearer ory_at_GVG1AhpykEgTHBvsgzT4T4u7Xz6VzCw9zDZllX4y_94.Szlmx_66Sj51---BrjL8muA-8tUeSf43G8zfalQgiSQ

It's worth noting that if you're using JSON Web Tokens (JWTs) instead of opaque tokens, the prefix won't be applied. However, by default, Ory uses opaque tokens for increased security.