The HTTP WWW-authenticate response header indicates which authentication messages can be used to access a particular resource.


The HTTP WWW-authenticate response header is part of the HTTP Authentication framework, as defined in RFC 7235. It is generated and included in HTTP responses from a server where a client has requested a protected resource and the server returned HTTP error message 401 Unauthorized. The mandatory directive is the authentication-scheme, whereas the two remaining directives, realm and token68, are optional.

The HTTP WWW-authenticate header contains at least one authentication-scheme and any parameters or data that are required to perform authentication using it. Multiple schemes can be specified either on separate lines or in a single line with a comma-delimited format. The commonly used Authentication schemes are Basic, Digest, and Negotiate.

Scheme Format Example

The exact format of the HTTP header depends on the Authentication scheme being used. Some examples of the format are as follows:

WWW-Authenticate: <scheme>
WWW-Authenticate: <scheme> realm=<realm>
WWW-Authenticate: <scheme> token68
WWW-Authenticate: <scheme> parameter1=token1
WWW-Authenticate: <scheme> realm=<realm> token68
WWW-Authenticate: <scheme> realm=<realm> token68 parameter1=token1

In addition to the basic formats, above, it is possible to specify multiple Authentication schemes in a comma-delimited list on a single line.

Consider the Basic Authentication scheme:

WWW-Authenticate: Basic
WWW-Authenticate: Basic realm=realm@example.ai
WWW-Authenticate: Basic realm=realm@example.ai, charset="UTF-8"

Notice that in the Basic scheme, the charset directive is supported. However, token68 is not. This is an example of the scheme dictating the relevant parameters.

The Digest scheme has several mandatory and optional directives, as do the others. It is important to consult the specification for a scheme ahead of implementing it.


The HTTP WWW-authenticate response header is used to inform the client concerning supported Authentication schemes that are needed to access protected resources.

See also

Last updated: June 2, 2022