...
In order for a user to acquire either type of access token, they must first authenticate their identity. Once authenticated, one of these two bearer access tokens will be issued (depending on the context). It is important to emphasis emphasize that both of these access token types are bearer tokens. The bearer presents the access token as proof of authentication, so no further authentication is required.
...
Since access tokens are bearer tokens, if a 3rd party were to steal another user’s access token, the 3rd party could use it to impersonate the token’s owner. For example, an access token can be acquired by a malicious party using a phishing scheme. It is also possible that the owner of an access token might accidentally make it available to others. Consider the cases where a user puts an access token directly into a script to run a quick test. If they forget about the access token, and later create a pull request that includes the script, they will unwitting unwittingly share the access token with the world. In fact, this is such a common problem, that GitHub offers a “push protection” feature to help organizations deal with it.
...