Authorization Header
An HTTP header used to provide credentials that authenticate a user agent with a server. It allows a client, such as a web browser or an application, to access protected resources by presenting proof of its identity and permissions.
1996 (RFC 1945)
2
Definitions
General Definition in HTTP
The Authorization Header is a standard HTTP request header that carries credentials for authenticating a client with a server. It enables access control by allowing the server to verify the client's identity before granting access to a protected resource.
The general syntax is:
Authorization: <type> <credentials>
<type>: This specifies the authentication scheme being used. Common types includeBasic,Bearer,Digest, andAWS4-HMAC-SHA256.<credentials>: This contains the authentication information, such as a token or a username/password pair. The format of the credentials depends entirely on the chosen scheme.
For example, a request using a Bearer token would look like this:
GET /api/user/profile HTTP/1.1
Host: example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Common Authentication Schemes
The functionality of the Authorization Header is defined by its scheme (<type>). Different schemes offer varying levels of security and are suited for different use cases.
Basic Authentication
This is the simplest scheme. The credentials are a combination of a username and password, joined by a colon (:), and then encoded using Base64.
- Format:
Authorization: Basic <base64(username:password)> - Example: For
username:password, the Base64 encoding isdXNlcjpwYXNzd29yZA==, so the header isAuthorization: Basic dXNlcjpwYXNzd29yZA==. - Usage: Because Base64 is easily decoded, Basic authentication is insecure unless used exclusively over an encrypted connection (HTTPS).
Bearer Authentication
This scheme is the standard for token-based authentication, commonly used with OAuth 2.0 and JWTs. The term 'bearer' signifies that anyone who possesses (bears) the token can use it to access resources.
- Format:
Authorization: Bearer <token> - Example:
Authorization: Bearer mF_9.B5f-4.1JqM - Usage: It is the most common method for securing modern web APIs. The token is typically an opaque string or a JWT obtained by the client after a successful login or authorization flow.
Digest Authentication
Designed as a more secure alternative to Basic, Digest authentication sends a hashed value of the password, a server-provided nonce (a random number), and other details instead of the password itself. This prevents replay attacks and password sniffing on unencrypted channels.
- Usage: While more secure than Basic, it is more complex to implement and has largely been superseded by token-based methods like Bearer authentication for APIs.
Origin & History
Etymology
The term is a straightforward combination of its function and location. 'Authorization' refers to the process of granting access to resources, and 'Header' indicates its position within an HTTP request message.
Historical Context
The concept of the **Authorization Header** is integral to the evolution of web security. Its first formal definition appeared in RFC 1945 for HTTP/1.0 in 1996, which introduced the 'Basic' authentication scheme. In June 1999, RFC 2617 provided a more robust specification, detailing both 'Basic' and a more secure alternative, 'Digest' authentication. This was the standard for many years, providing a way to protect web pages and resources by challenging users for a username and password. With the rise of Web 2.0 and APIs, the limitations of these schemes became apparent. A more flexible and secure method was needed, especially for third-party applications. This led to the development of the OAuth 2.0 framework. In October 2012, RFC 6750 was published, defining the 'Bearer' authentication scheme. This scheme, which uses security tokens, became the de facto standard for securing modern APIs. It leverages the same **HTTP Authorization** header but replaces the Base64-encoded credentials with an opaque token, decoupling authentication from user passwords and enabling delegated access.
Usage Examples
To access the user's profile data, the client application must include a valid Authorization Header in its GET request to the API endpoint.
The developer received a 401 Unauthorized error because the Bearer token in the Authorization Header had expired.
For simple internal tools, you might use Basic Authentication, but for modern public-facing applications, it's recommended to use a more secure scheme like OAuth 2.0, which also utilizes the Auth Header with a Bearer token.
Frequently Asked Questions
What is the primary purpose of the HTTP Authorization header?
The primary purpose of the Authorization Header is to send credentials from a client to a server to authenticate itself. This allows the client to prove its identity and gain access to protected resources that require authentication, such as user-specific data or restricted API endpoints.
What is the difference between the `Authorization` header and the `WWW-Authenticate` header?
The WWW-Authenticate header is a response header sent by the server when a client requests a protected resource without proper credentials. It challenges the client and indicates which authentication method(s) (e.g., Basic, Bearer) it supports.
The Authorization Header is a request header sent by the client in a subsequent request. It contains the client's credentials, formatted according to one of the schemes proposed by the server in the WWW-Authenticate header.