The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually, but not necessarily, after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.

Header type Request header
Forbidden header name no


Authorization: <type> <credentials>


Authentication type. A common type is "Basic". Other types:
If the "Basic" authentication scheme is used, the credentials are constructed like this:
  • The username and the password are combined with a colon (aladdin:opensesame).
  • The resulting string is base64 encoded (YWxhZGRpbjpvcGVuc2VzYW1l).

Note: Base64 encoding does not mean encryption or hashing! This method is equally secure as sending the credentials in clear text (base64 is a reversible encoding). Prefer to use HTTPS in conjunction with Basic Authentication.


Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

See also HTTP authentication for examples on how to configure Apache or nginx servers to password protect your site with HTTP basic authentication.


Specification Title
RFC 7235, section 4.2: Authorization HTTP/1.1: Authentication
RFC 7617 The 'Basic' HTTP Authentication Scheme

See also