WWW-Authenticate
The "WWW-Authenticate" header field indicates the authentication scheme(s) and parameters applicable to the target resource.
Writing responses (servers)
Origin servers MUST send the WWW-Authenticate
header with a 401 (Unauthorized) status code.
The variant of this header for intermediate nodes (proxies) is Proxy-Authenticate.
Reading responses (clients)
Clients that see this header can test if they understand and have credentials for any of the authorization schemes listed, and if so, re-try the request with an Authorization header.
Overview table
- Name
- WWW-Authenticate
- Description
- Requests the user-agent authenticate to the origin.
- Direction
- Response
- Advertises
- Authorization
- Specification
- RFC 7235: HTTP/1.1 Authentication ยง4.1. WWW-Authenticate
Syntax
WWW-Authenticate = 1#challenge
challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
auth-scheme = token
auth-param = token BWS "=" BWS ( token / quoted-string )
token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
auth-scheme
is one of the registered values in the Authentication Scheme Registry.
Example
WWW-Authenticate: Newauth realm="apps", type=1,
title="Login to \"apps\"", Basic realm="simple"