The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually, but not necessarily, after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.
| Header type | Request header |
|---|---|
| Forbidden header name | no |
Syntax
Authorization: <type> <credentials>
Directives
- <type>
- Authentication type. A common type is "Basic". Other types:
- <credentials>
- If the "Basic" authentication scheme is used, the credentials are constructed like this:
- The username and the password are combined with a colon (
aladdin:opensesame). - The resulting string is base64 encoded (
YWxhZGRpbjpvcGVuc2VzYW1l).
Note: Base64 encoding does not mean encryption or hashing! This method is equally secure as sending the credentials in clear text (base64 is a reversible encoding). Prefer to use HTTPS in conjunction with Basic Authentication.
- The username and the password are combined with a colon (
Examples
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
See also HTTP authentication for examples on how to configure Apache or nginx servers to password protect your site with HTTP basic authentication.
Specifications
| Specification | Title |
|---|---|
| RFC 7235, section 4.2: Authorization | HTTP/1.1: Authentication |
| RFC 7617 | The 'Basic' HTTP Authentication Scheme |