When a server protects a resource it answers with 401 Unauthorized and a WWW-Authenticate header naming an authentication scheme; the client then resends the request with a matching Authorization header. The scheme name — Basic, Bearer, Digest, Negotiate and others — decides the entire credential format and security posture. This reference lists the registered schemes with their syntax and the caveats that matter.
The challenge-response cycle
Client ──GET /api/resource──► Server
Client ◄──401 WWW-Authenticate: Bearer realm="api"── Server
Client ──GET /api/resource, Authorization: Bearer <token>──► Server
Client ◄──200 OK── Server
The WWW-Authenticate header names one or more schemes and their parameters (such as realm for both human display and credential scoping, or nonce for Digest). The client picks a scheme it supports and replies with the matching Authorization header. Proxy authentication follows the same pattern using Proxy-Authenticate (server→client) and Proxy-Authorization (client→proxy), with 407 Proxy Authentication Required replacing 401.
Scheme comparison
| Scheme | Header form | Password on wire? | Multi-round? | Typical use |
|---|---|---|---|---|
Basic | Basic base64(user:pass) | Yes (encoded, not encrypted) | No | Internal tools over TLS |
Bearer | Bearer <token> | No (token) | No | REST APIs, OAuth 2.0 |
Digest | Digest username="...", nonce="...", response="..." | No (hashed) | No (1 challenge) | Legacy HTTP auth avoiding cleartext |
Negotiate | Negotiate <SPNEGO blob> | No (Kerberos ticket) | Yes | Windows SSO / Kerberos |
NTLM | NTLM <blob> | No (challenge-response) | Yes (3-way) | Legacy Windows auth |
SCRAM-SHA-256 | SCRAM-SHA-256 ... | No (proof) | Yes | Modern SASL-based auth |
How it works
HTTP authentication is a simple challenge cycle. The server’s WWW-Authenticate (or Proxy-Authenticate for proxies) lists one or more schemes and parameters. The client picks a scheme it supports and replies with Authorization: <scheme> <credentials>. Some schemes are single-shot (Basic, Bearer); others are multi-round handshakes (Digest, Negotiate/NTLM, SCRAM).
Crucially, encoding is not encryption. Basic merely base64-encodes user:password, so it leaks credentials over plain HTTP and must run on TLS. Bearer tokens are equally sensitive — holding the token is enough to act as the user.
The four you actually encounter
Basic — simplest, most dangerous without TLS
Authorization: Basic ZGVtbzpwYXNzd29yZA==
ZGVtbzpwYXNzd29yZA== is just btoa("demo:password"). Use only over HTTPS.
Bearer — the modern API standard
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
The token is typically a signed JWT. Validate the signature, audience (aud) and expiry (exp) on the server. Use short lifetimes (15–60 minutes) and refresh tokens for long sessions.
Digest — avoided for new systems
Authorization: Digest username="demo", realm="api", nonce="abc123",
uri="/resource", qop=auth, nc=00000001, cnonce="xyz",
response="<MD5 hash>"
Sends a hash of credentials rather than the credentials themselves. MD5-based Digest is considered weak; prefer Bearer over TLS.
Negotiate — Windows SSO via Kerberos
Authorization: Negotiate YIIZ...
SPNEGO wrapping a Kerberos or NTLM token. The Negotiate scheme prefers Kerberos; fall back to NTLM only when Kerberos is unavailable. Microsoft actively deprecates standalone NTLM due to relay attack vulnerabilities.