Authorization
The Authorization header is provided by clients to authenticate themselves to the server, for the purpose of authorizing the request.
For clients that want to authorize themselves to an intermediate node instead of the origin server, use Proxy-Authorization.
Writing requests
Clients may provide the Authorization header when they know the resource requires authentication, usually after a request results in a 401 (Unauthorized)
response.
The value of the is a token
that indicates the authorization scheme (e.g. basic
), a space, and credential data as required by the selected authorization scheme.
Reading requests
Servers should have tests to ensure the correct 401
status code is returned when given bad credentials.
Overview table
- Name
- Authorization
- Description
- Provides credentials authenticating the client to the origin.
- Direction
- Request
- Specification
- RFC 7235: HTTP/1.1 Authentication ยง4.2. Authorization
Syntax
Authorization = credentials
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
auth-scheme = token
auth-param = token BWS "=" BWS ( token / quoted-string )
token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
auth-scheme
is one of the registered values in the Authentication Scheme Registry.
Example
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Here, the resource is being requested with a username Aladdin
and password open sesame
.
For more specific examples, consult the respective pages on each Authorization scheme.