HTTP basic authentication

HTTP basic authentication is a simple challenge and response mechanism with which a server can request authentication information (a user ID and password) from a client. The client passes the authentication information to the server in an Authorization header. The authentication information is in base-64 encoding.

This topic summarizes HTTP basic authentication. For details, see RFC 2617, HTTP Authentication: Basic and Digest Access Authentication, at https://www.ietf.org/rfc/rfc2617.txt.

If a client makes a request for which the server expects authentication information, the server sends an HTTP response with a 401 status code, a reason phrase indicating an authentication error, and a WWW-Authenticate header. Most web clients handle this response by requesting a user ID and password from the end user.

WWW-Authenticate: Basic realm="Our Site"

The WWW-Authenticate header contains a realm attribute, which identifies the set of resources to which the user ID and password will apply. Web clients display this string to the end user. Each realm might require different authentication information. Web clients can store the authentication information for each realm so that end users do not need to retype the information for every request.

When the web client has obtained a user ID and password, it resends the original request with an Authorization header. Alternatively, the client can send the Authorization header when it makes its original request, and this header might be accepted by the server, avoiding the challenge and response process.

Authorization: Basic userid:password