Access control is critical for many applications of the Internet of Things (IoT) since the owner of an IoT device (and application) may only permit one user to access a subset of the resources of the device. To provide access control for an IoT network, recent work adopted the capability-based access control (CBAC) model, which allows an IoT device to decide on the authorization by itself based on a capability token. However, the existing approaches based on CBAC directly attach the capability token at the end of CoAP when sending a request message. For the receiver, it is not easy to retrieve the capability token from the request message if the CoAP payload is present, because CoAP does not have a length field to indicate the size of its payload. To counter this problem, we propose a CoAP option, Cap-Token, to encapsulate a capability token when sending request messages. Because a CoAP option is independent from other CoAP fields, a receiver can get the capability token from the Cap-Token option of the request message without ambiguity. We also provide a compression mechanism to reduce the size of the Cap-Token option. Our evaluation shows that the compression mechanism can save the size of the option by 60%. Adding a compressed Cap-Token option to a request message increases the IP datagram size by 45 bytes, which is only 41% of the increase when directly attaching the capability token at the end of CoAP.