Authorization

The Authorization header is provided by clients to authenticate themselves to the server, for the purpose of authorizing the request.

For clients that want to authorize themselves to an intermediate node instead of the origin server, use Proxy-Authorization.

Writing requests

Clients may provide the Authorization header when they know the resource requires authentication, usually after a request results in a 401 (Unauthorized) response.

The value of the is a token that indicates the authorization scheme (e.g. basic), a space, and credential data as required by the selected authorization scheme.

Reading requests

Servers should have tests to ensure the correct 401 status code is returned when given bad credentials.

Overview table

Name: Authorization
Description: Provides credentials authenticating the client to the origin.
Direction: Request
Specification: RFC 9110: HTTP Semantics §11.6.2. Authorization

Syntax

Authorization = credentials
credentials   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
auth-scheme   = token
auth-param    = token BWS "=" BWS ( token / quoted-string )
token68       = 1*( ALPHA / DIGIT /  "-" / "." / "_" / "~" / "+" / "/" ) *"="

auth-scheme is one of the registered values in the Authentication Scheme Registry.

Implementations

Most Web browsers will wait for a 401 (Unauthorized) status and WWW-Authenticate header before making a request with this header. This means it will make two requests before getting a usable one, every time it must request a resource.

Example

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Here, the resource is being requested with a username Aladdin and password open sesame.

For more specific examples, consult the respective pages on each Authorization scheme.

History

1999-06: RFC 2616 §14.8. Authorization
2014-06: RFC 7235 §4.2. Authorization. This header was split out from the core document.
2022-06: RFC 9110 §11.6.2. Authorization. Moved back into HTTP Semantics.