Authentication-Info

The HTTP Authentication-Info response header returns Authentication parameters after a server accepts client credentials sent via the Authorization header.

Usage

The Authentication-Info header appears in responses where the server has successfully authenticated the client. The header provides the server with a way to send additional authentication data back to the client, including updated nonces for subsequent requests and response digests for mutual authentication.

Digest authentication schemes use this header to implement features like nonce rotation and mutual authentication. When the server sends a nextnonce parameter, the client uses the new nonce for the next request instead of the original nonce. The rspauth parameter allows the client to verify the server knows the shared secret, providing protection against server impersonation attacks.

The header parameters follow the same authentication scheme indicated by the WWW-Authenticate header in the original challenge. Different authentication schemes define different parameters for this header.

Directives

nextnonce

The nextnonce parameter provides a new nonce value for the client to use on the next request. Servers send this to implement one-time nonces or rotating nonces. The client replaces the original nonce with this value when constructing the next Authorization header.

rspauth

The rspauth (response authentication) parameter contains a digest computed by the server to prove the server knows the client's credentials. The client verifies this digest to confirm the server's identity, providing mutual authentication. This parameter appears when the quality of protection includes authentication (qop=auth or qop=auth-int).

qop

The qop (quality of protection) parameter indicates which protection level applies to the response. The value auth means authentication only. The value auth-int means authentication with integrity protection of the response message body.

cnonce

The cnonce (client nonce) parameter echoes back the client nonce value sent in the Authorization header. The parameter serves as confirmation the server processed the client's nonce. Required when qop=auth or qop=auth-int is specified.

nc

The nc (nonce count) parameter echoes back the hexadecimal count of requests the client has sent with the current nonce value. Required when qop=auth or qop=auth-int is specified.

Example

A server returns authentication parameters after accepting the client's Digest authentication credentials. The nextnonce parameter rotates the nonce for the next request, and rspauth provides a digest the client verifies to authenticate the server.

Authentication-Info: nextnonce="4ee60b", rspauth="3e8f9d1c2a5b4d7e", qop=auth, cnonce="0a4f113b", nc=00000001

Takeaway

The Authentication-Info header sends authentication parameters from the server to the client after successful authentication, supporting features like nonce rotation and mutual authentication in schemes such as Digest Access Authentication.

See also

• RFC 9110: HTTP Semantics
• Authorization
• WWW-Authenticate
• Proxy-Authentication-Info
• Authentication
• HTTP headers