diff --git a/lib/models/access-token.js b/lib/models/access-token.js
index 9f36268b..47b7a13d 100644
--- a/lib/models/access-token.js
+++ b/lib/models/access-token.js
@@ -209,12 +209,20 @@ function tokenIdForRequest(req, options) {
     id = req.header(headers[i]);
 
     if(typeof id === 'string') {
+      // Add support for oAuth 2.0 bearer token
+      // http://tools.ietf.org/html/rfc6750
+      if (id.indexOf('Bearer ') === 0) {
+        id = id.substring(7);
+        // Decode from base64
+        var buf = new Buffer(id, 'base64');
+        id = buf.toString('utf8');
+      }
       return id;
     }
   }
 
   if(req.signedCookies) {
-    for(i = 0, length = headers.length; i < length; i++) {
+    for(i = 0, length = cookies.length; i < length; i++) {
       id = req.signedCookies[cookies[i]];
 
       if(typeof id === 'string') {
diff --git a/test/access-token.test.js b/test/access-token.test.js
index 1f4e7344..d03a4916 100644
--- a/test/access-token.test.js
+++ b/test/access-token.test.js
@@ -12,7 +12,25 @@ describe('loopback.token(options)', function() {
       .end(done);
   });
 
-  it('should populate req.token from a header', function (done) {
+  it('should populate req.token from an authorization header', function (done) {
+    createTestAppAndRequest(this.token, done)
+      .get('/')
+      .set('authorization', this.token.id)
+      .expect(200)
+      .end(done);
+  });
+
+  it('should populate req.token from an X-Access-Token header', function (done) {
+    createTestAppAndRequest(this.token, done)
+      .get('/')
+      .set('X-Access-Token', this.token.id)
+      .expect(200)
+      .end(done);
+  });
+
+  it('should populate req.token from an authorization header with bearer token', function (done) {
+    var token = this.token.id;
+    token = 'Bearer '+ new Buffer(token).toString('base64');
     createTestAppAndRequest(this.token, done)
       .get('/')
       .set('authorization', this.token.id)
@@ -33,6 +51,20 @@ describe('loopback.token(options)', function() {
       });
   });
 
+  it('should populate req.token from a header or a secure cookie', function (done) {
+    var app = createTestApp(this.token, done);
+    var id = this.token.id;
+    request(app)
+      .get('/token')
+      .end(function(err, res) {
+        request(app)
+          .get('/')
+          .set('authorization', id)
+          .set('Cookie', res.header['set-cookie'])
+          .end(done);
+      });
+  });
+
   it('should skip when req.token is already present', function(done) {
     var tokenStub = { id: 'stub id' };
     app.use(function(req, res, next) {