Auth test API

A single endpoint to practice attaching Authorization: Bearer headers. No accounts, no secrets — just a fixed demo token to demonstrate the round-trip.

https://sampleapi.top/api

Base URL — append any path below.

Endpoint

MethodPathDescription
GET/auth/bearerChecks the Authorization header. Returns 200, 401, or 403.

Demo token

demo-token

This token is public. It's safe to share, commit, and post in screenshots.

Behavior

RequestStatusBody
Authorization: Bearer demo-token200{"authenticated": true, "token": "demo-token", "user": {...}}
No Authorization header401Error JSON. WWW-Authenticate: Bearer header included.
Authorization: Bearer wrong403Error JSON. WWW-Authenticate includes error="invalid_token".

Examples

Success

curl -s https://sampleapi.top/api/auth/bearer \
  -H "Authorization: Bearer demo-token"
const res = await fetch('https://sampleapi.top/api/auth/bearer', {
  headers: { Authorization: 'Bearer demo-token' }
});
console.log(res.status, await res.json());
$ctx = stream_context_create(['http' => [
  'method' => 'GET',
  'header' => "Authorization: Bearer demo-token\r\n",
]]);
echo file_get_contents('https://sampleapi.top/api/auth/bearer', false, $ctx);

401 — missing token

curl -i https://sampleapi.top/api/auth/bearer

403 — wrong token

curl -i https://sampleapi.top/api/auth/bearer \
  -H "Authorization: Bearer wrong-token"

Notes

  • The token comparison is constant-time (hash_equals) on the server.
  • SampleAPI does not issue, rotate, or remember tokens — the demo token is hard-coded.
  • Do not send real credentials, real bearer tokens, or any personal data to this endpoint.