The Bearer prefix is optional. The prefix helps identifying what type of token authentication you are delivering. If there is only bearer token to accept, most APIs simply remove "Bearer " from Authorization header string. WeatherKit REST API seems to do this, too.

The Bearer prefix is not relevant. I tried with and without „bearer“. Whenever a JWT token is used you will get 500 Internal Server Error - content of the JWT doesn’t play a role. As soon as you omit the authentication header or write random stuff into the field you will get 401 Unauthorized. I think the JWT validation has a bug and crashes on each validation (explains 500). A correct working validation would return 401 Unauthorized when JWT isn’t valid.