these headers are sometimes used as Basic API Authentication
WWW-Authenticate
Click here to expand...
The HTTP
WWW-Authenticateresponse header
- defines the authentication method that should be used to gain access to a resource
- is sent along with a
401UnauthorizedresponseSyntax
WWW-Authenticate: <type> realm=<realm>
- <type> - Authentication type. A common type is “Basic”. IANA maintains a list of Authentication schemes.
- realm=<realm> - a description of the protected area. If no realm is specified, clients often display a formatted hostname instead.
- charset=<charset> - tells the client the server’s prefered encoding scheme when submitting a username and password. The only allowed value is the case insensitive string “UTF-8”. This does not relate to the encoding of the realm string
Examples
WWW-Authenticate: Basic WWW-Authenticate: Basic realm="Access to the staging site", charset="UTF-8"
Authorization
Click here to expand...
The HTTP
Authorizationrequest header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a401Unauthorizedstatus and theWWW-AuthenticateheaderSyntax
Authorization: <authorization type/scheme> <credentials/data>Examples
Authorization: Basic base64(user-id:password) # replace base64(...) with the base64 of input Authorization: Digest crypto-hash(user-id:password) # replace crypto-hash(...) with the output of crypto-hash of input Authorization: Bearer BEARER_TOKEN_HERE #Authentication Scheme Types
- Basic - authentication by transmitting a user-id:password pair, encoded using Base64 Notation (see RFC7617)
- Digest - authentication by transmitting a user-id:password pair, encrypted using a cryptographic hash function (see RFC7616)
- Bearer - authentication by transmitting a bearer token (see RFC6750)
- to prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport