Mastercard · Dr-J-Watson · May 27, 2025 · May 27, 2025 · May 27, 2025 · May 27, 2025
diff --git a/docs/index.md b/docs/index.md
@@ -46,6 +46,7 @@ provider "restapi" {
 - `debug` (Boolean) Enabling this will cause lots of debug information to be printed to STDOUT by the API client.
 - `destroy_method` (String) Defaults to `DELETE`. The HTTP method used to DELETE objects of this type on the API server.
 - `headers` (Map of String) A map of header names and values to set on all outbound requests. This is useful if you want to use a script via the 'external' provider or provide a pre-approved token or change Content-Type from `application/json`. If `username` and `password` are set and Authorization is one of the headers defined here, the BASIC auth credentials take precedence.
+- `bearer_token` (String) A token that will be used to set the Authorization: Bearer <token> header on all outbound API requests. This value can be set directly in the provider configuration or indirectly via the BEARER_TOKEN environment variable. Useful for APIs that require Bearer token authentication such as JWT or OAuth2. If set, this takes precedence over any Authorization header defined in headers.
 - `id_attribute` (String) When set, this key will be used to operate on REST objects. For example, if the ID is set to 'name', changes to the API object will be to http://foo.com/bar/VALUE_OF_NAME. This value may also be a '/'-delimeted path to the id attribute if it is multple levels deep in the data (such as `attributes/id` in the case of an object `{ "attributes": { "id": 1234 }, "config": { "name": "foo", "something": "bar"}}`
 - `insecure` (Boolean) When using https, this disables TLS verification of the host.
 - `key_file` (String) When set with the cert_file parameter, the provider will load a client certificate as a file for mTLS authentication. Note that this mechanism simply delegates to golang's tls.LoadX509KeyPair which does not support passphrase protected private keys. The most robust security protections available to the key_file are simple file system permissions.

diff --git a/restapi/api_client.go b/restapi/api_client.go
@@ -28,6 +28,7 @@ type apiClientOpt struct {
 	username            string
 	password            string
 	headers             map[string]string
+	bearerToken         string
 	timeout             int
 	idAttribute         string
 	createMethod        string
@@ -65,6 +66,7 @@ type APIClient struct {
 	username            string
 	password            string
 	headers             map[string]string
+	bearerToken        string
 	idAttribute         string
 	createMethod        string
 	readMethod          string
@@ -190,6 +192,7 @@ func NewAPIClient(opt *apiClientOpt) (*APIClient, error) {
 		username:            opt.username,
 		password:            opt.password,
 		headers:             opt.headers,
+		bearerToken:         opt.bearerToken,
 		idAttribute:         opt.idAttribute,
 		createMethod:        opt.createMethod,
 		readMethod:          opt.readMethod,

diff --git a/restapi/provider.go b/restapi/provider.go
@@ -33,6 +33,7 @@ func Provider() *schema.Provider {
 			"password": {
 				Type:        schema.TypeString,
 				Optional:    true,
+				Sensitive:   true,
 				DefaultFunc: schema.EnvDefaultFunc("REST_API_PASSWORD", nil),
 				Description: "When set, will use this password for BASIC auth to the API.",
 			},
@@ -42,6 +43,13 @@ func Provider() *schema.Provider {
 				Optional:    true,
 				Description: "A map of header names and values to set on all outbound requests. This is useful if you want to use a script via the 'external' provider or provide a pre-approved token or change Content-Type from `application/json`. If `username` and `password` are set and Authorization is one of the headers defined here, the BASIC auth credentials take precedence.",
 			},
+			"bearer_token": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Sensitive:   true,
+				DefaultFunc: schema.EnvDefaultFunc("REST_API_BEARER", nil),
+				Description: "Token to use for Authorization: Bearer <token>",
+			},
 			"use_cookies": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -235,6 +243,10 @@ func configureProvider(d *schema.ResourceData) (interface{}, error) {
 		}
 	}
 
+	if token, ok := d.GetOk("bearer_token"); ok && token.(string) != "" {
+		headers["Authorization"] = "Bearer " + token.(string)
+	}
+
 	opt := &apiClientOpt{
 		uri:                 d.Get("uri").(string),
 		insecure:            d.Get("insecure").(bool),