Sending an access token in a request When you put a VerifyAccessToken policy at the front of your API proxy flow, apps must present a verifiable access token (also called a “bearer token”) to consume your API. To do this, the app sends the access token in the request as an “Authorization” HTTP header .