HTTP basic authentication

HTTP basic authentication is a simple challenge and response mechanism with which a server can request authentication information (a user ID and password) from a client. The client passes the authentication information to the server in an Authorization header. The authentication information is in base-64 encoding.

This topic summarizes HTTP basic authentication. For details, see RFC 2617, HTTP Authentication: Basic and Digest Access Authentication, at

Note: The HTTP basic authentication scheme can be considered secure only when the connection between the web client and the server is secure. If the connection is insecure, the scheme does not provide sufficient security to prevent unauthorized users from discovering the authentication information for a server. If you think that a password might be intercepted, use basic authentication with SSL encryption to protect the user ID and password.

If a client makes a request for which the server expects authentication information, the server sends an HTTP response with a 401 status code, a reason phrase indicating an authentication error, and a WWW-Authenticate header. Most web clients handle this response by requesting a user ID and password from the end user.

The format of a WWW-Authenticate header for HTTP basic authentication is:
WWW-Authenticate: Basic realm="Our Site"

The WWW-Authenticate header contains a realm attribute, which identifies the set of resources to which the user ID and password will apply. Web clients display this string to the end user. Each realm might require different authentication information. Web clients can store the authentication information for each realm so that end users do not need to retype the information for every request.

When the web client has obtained a user ID and password, it resends the original request with an Authorization header. Alternatively, the client can send the Authorization header when it makes its original request, and this header might be accepted by the server, avoiding the challenge and response process.

The format of the Authorization header is:
Authorization: Basic userid:password

dfhtl2a.html | Timestamp icon Last updated: Thursday, 27 June 2019