The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually, but not necessarily, after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.

Header type Request header
Forbidden header name no


Authorization: <type> <credentials>



The Authentication type, that is which algorithm will be used for authentication. A common type is "Basic".

Other types common types can be found at the IANA registry of Authentication schemes.

Note: AWS S3 servers use a specific authentication, AWS4-HMAC-SHA256.


If the "Basic" authentication scheme is used, the credentials are constructed by first combining the username and the password with a colon (aladdin:opensesame), then by encoding the resulting string in base64 (YWxhZGRpbjpvcGVuc2VzYW1l).

Note: Base64-encoding does not mean encryption or hashing! As base64 is a reversible encoding, this method is equally (in)secure as sending the credentials in clear text. So you should alwaysuse HTTPS in conjunction with Basic authentication.


Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

See also HTTP authentication for examples on how to configure Apache or nginx servers to password protect your site with HTTP basic authentication.


Specification Title
RFC 7235, section 4.2: Authorization HTTP/1.1: Authentication
RFC 7617 The 'Basic' HTTP Authentication Scheme

See also