HTTP Authentication Schemes

All HTTP auth schemes — Basic, Bearer, Digest, NTLM — with syntax and security notes.

Searchable reference for HTTP authentication scheme names used in the Authorization and WWW-Authenticate headers, including Basic, Bearer, Digest, Negotiate, NTLM and SCRAM, with syntax, RFC and security guidance. Bundled offline. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is the difference between Basic and Bearer authentication?

Basic sends a base64-encoded username and password on every request, so it must run over TLS. Bearer sends an opaque or JWT token issued by an authorization server; anyone holding the token can use it until it expires, so short lifetimes and TLS are essential.

When a server protects a resource it answers with 401 Unauthorized and a WWW-Authenticate header naming an authentication scheme; the client then resends the request with a matching Authorization header. The scheme name — Basic, Bearer, Digest, Negotiate and others — decides the entire credential format and security posture. This reference lists the registered schemes with their syntax and the caveats that matter.

The challenge-response cycle

Client  ──GET /api/resource──►  Server
Client  ◄──401 WWW-Authenticate: Bearer realm="api"──  Server
Client  ──GET /api/resource, Authorization: Bearer <token>──►  Server
Client  ◄──200 OK──  Server

The WWW-Authenticate header names one or more schemes and their parameters (such as realm for both human display and credential scoping, or nonce for Digest). The client picks a scheme it supports and replies with the matching Authorization header. Proxy authentication follows the same pattern using Proxy-Authenticate (server→client) and Proxy-Authorization (client→proxy), with 407 Proxy Authentication Required replacing 401.

Scheme comparison

SchemeHeader formPassword on wire?Multi-round?Typical use
BasicBasic base64(user:pass)Yes (encoded, not encrypted)NoInternal tools over TLS
BearerBearer <token>No (token)NoREST APIs, OAuth 2.0
DigestDigest username="...", nonce="...", response="..."No (hashed)No (1 challenge)Legacy HTTP auth avoiding cleartext
NegotiateNegotiate <SPNEGO blob>No (Kerberos ticket)YesWindows SSO / Kerberos
NTLMNTLM <blob>No (challenge-response)Yes (3-way)Legacy Windows auth
SCRAM-SHA-256SCRAM-SHA-256 ...No (proof)YesModern SASL-based auth

How it works

HTTP authentication is a simple challenge cycle. The server’s WWW-Authenticate (or Proxy-Authenticate for proxies) lists one or more schemes and parameters. The client picks a scheme it supports and replies with Authorization: <scheme> <credentials>. Some schemes are single-shot (Basic, Bearer); others are multi-round handshakes (Digest, Negotiate/NTLM, SCRAM).

Crucially, encoding is not encryption. Basic merely base64-encodes user:password, so it leaks credentials over plain HTTP and must run on TLS. Bearer tokens are equally sensitive — holding the token is enough to act as the user.

The four you actually encounter

Basic — simplest, most dangerous without TLS

Authorization: Basic ZGVtbzpwYXNzd29yZA==

ZGVtbzpwYXNzd29yZA== is just btoa("demo:password"). Use only over HTTPS.

Bearer — the modern API standard

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

The token is typically a signed JWT. Validate the signature, audience (aud) and expiry (exp) on the server. Use short lifetimes (15–60 minutes) and refresh tokens for long sessions.

Digest — avoided for new systems

Authorization: Digest username="demo", realm="api", nonce="abc123",
               uri="/resource", qop=auth, nc=00000001, cnonce="xyz",
               response="<MD5 hash>"

Sends a hash of credentials rather than the credentials themselves. MD5-based Digest is considered weak; prefer Bearer over TLS.

Negotiate — Windows SSO via Kerberos

Authorization: Negotiate YIIZ...

SPNEGO wrapping a Kerberos or NTLM token. The Negotiate scheme prefers Kerberos; fall back to NTLM only when Kerberos is unavailable. Microsoft actively deprecates standalone NTLM due to relay attack vulnerabilities.