Search Results
  1. HTTP (Hypertext Transfer Protocol)
  1. HTTP Headers
  1. WWW-Authenticate
      1. Writing responses (servers)
      2. Reading responses (clients)
    1. Overview table
    2. Syntax
      1. Example
    3. History

WWW-Authenticate

The "WWW-Authenticate" header field indicates the authentication scheme(s) and parameters applicable to the target resource.

Writing responses (servers)

Origin servers MUST send the WWW-Authenticate header with a 401 (Unauthorized) status code.

The variant of this header for intermediate nodes (proxies) is Proxy-Authenticate.

Reading responses (clients)

Clients that see this header can test if they understand and have credentials for any of the authorization schemes listed, and if so, re-try the request with an Authorization header.

Overview table

Name
WWW-Authenticate
Description
Requests the user-agent authenticate to the origin.
Direction
Response
Advertises
Authorization
Specification
RFC 9110: HTTP Semantics §11.6.1. WWW-Authenticate

Syntax

WWW-Authenticate = 1#challenge
challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
auth-scheme = token
auth-param = token BWS "=" BWS ( token / quoted-string )
token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="

auth-scheme is one of the registered values in the Authentication Scheme Registry.

Example

WWW-Authenticate: Newauth realm="apps", type=1,
	title="Login to \"apps\"", Basic realm="simple"

History

  1. 1999-06: RFC 2616 §14.47. WWW-Authenticate
  2. 2014-06: RFC 7235 §4.1. WWW-Authenticate. This header was split out from the core document.
  3. 2022-06: RFC 9110 §11.6.1. WWW-Authenticate. Moved back into HTTP Semantics.