Authorization
The HTTP Authorization request header provides credentials for a user, authorizing the client to interact with a protected resource.
Usage
The Authorization request header obtains access to a protected resource and is typically sent after the client is informed access is restricted. For example, after receiving a 401 Unauthorized HTTP response from the server including the WWW-Authenticate header, the client submits credentials in this fashion.
Note
Browsers strip the Authorization header when a request is redirected to a different origin. This prevents credential leakage when a redirect points to a third-party server. The behavior is defined in the WHATWG Fetch Standard and is supported in all modern browsers. Applications relying on Authorization headers across cross-origin redirects need to handle re-authentication at the final destination. Tools like curl, Python Requests, and Go's HTTP client follow the same convention.
Directives
authentication-scheme
The authentication-scheme is a mandatory directive,
accompanied by optional scheme-specific parameters. The
scheme defines the encoding method for credentials.
Common approaches include Basic, Digest, and
Negotiate.
Example
In this example, the client uses the basic
Authentication scheme. As a required parameter,
the credentials are a base64-encoded
username:password pair.
Authorization: Basic RXhhbXBsZTphaQ==
A Bearer token is common with OAuth 2.0 APIs. The token is an opaque string or a signed JWT issued by an authorization server.
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Takeaway
The Authorization request header supplies credentials to a server to interact with a protected resource.
See also
- RFC 9110: HTTP Semantics
- WHATWG Fetch Standard, Section 4.5: HTTP-redirect fetch
- WWW-Authenticate
- 401
- Authentication
- Redirects
- HTTP headers