authentication

WWW-Authenticate

Sent in a 401 response to challenge the client for credentials using the named scheme(s). May appear multiple times to offer alternatives; each carries scheme-specific parameters like realm and error codes.

WWW-Authenticate: <scheme> [<param>=<value>[, <param>=<value>...]]  (accompanies 401 Unauthorized)

Common directives / values

Directive Purpose
Basic realm="..." Challenge for HTTP Basic auth in the given protection space.
Bearer realm="...", error="invalid_token" OAuth 2.0 Bearer challenge with RFC 6750 error info.
Digest ... Digest challenge with nonce, qop, algorithm parameters.
DPoP algs="ES256 RS256" Announces DPoP requirement and supported algorithms.

Examples

HTTP/1.1 401 Unauthorized\nWWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="The access token expired"

OAuth expired-token response — client should refresh and retry.

WWW-Authenticate: Basic realm="Admin Area", charset="UTF-8"

Triggers the browser's Basic auth password prompt.

WWW-Authenticate: Bearer realm="api"\nWWW-Authenticate: Basic realm="api"

Advertise two acceptable schemes — client picks the strongest it supports.

WWW-Authenticate: Digest realm="api", qop="auth", nonce="abc123", algorithm=SHA-256

Digest challenge — client hashes credentials with the nonce.

Gotcha

A 401 response MUST include WWW-Authenticate per RFC 9110 — many APIs use 401 without it and confuse clients. Use 403 Forbidden when the user IS authenticated but not authorized; do not send WWW-Authenticate there.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors