authentication
WWW-Authenticate
Sent in a 401 response to challenge the client for credentials using the named scheme(s). May appear multiple times to offer alternatives; each carries scheme-specific parameters like realm and error codes.
WWW-Authenticate: <scheme> [<param>=<value>[, <param>=<value>...]] (accompanies 401 Unauthorized) Common directives / values
| Directive | Purpose |
|---|---|
| Basic realm="..." | Challenge for HTTP Basic auth in the given protection space. |
| Bearer realm="...", error="invalid_token" | OAuth 2.0 Bearer challenge with RFC 6750 error info. |
| Digest ... | Digest challenge with nonce, qop, algorithm parameters. |
| DPoP algs="ES256 RS256" | Announces DPoP requirement and supported algorithms. |
Examples
HTTP/1.1 401 Unauthorized\nWWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="The access token expired" OAuth expired-token response — client should refresh and retry.
WWW-Authenticate: Basic realm="Admin Area", charset="UTF-8" Triggers the browser's Basic auth password prompt.
WWW-Authenticate: Bearer realm="api"\nWWW-Authenticate: Basic realm="api" Advertise two acceptable schemes — client picks the strongest it supports.
WWW-Authenticate: Digest realm="api", qop="auth", nonce="abc123", algorithm=SHA-256 Digest challenge — client hashes credentials with the nonce.
Gotcha
A 401 response MUST include WWW-Authenticate per RFC 9110 — many APIs use 401 without it and confuse clients. Use 403 Forbidden when the user IS authenticated but not authorized; do not send WWW-Authenticate there.
Related headers
Authorization
Carries client credentials to the server per the scheme announced in a prior WWW-Authenticate challenge (or agreed out of band). The scheme names the auth mechanism; the credentials are its scheme-specific payload.
Cookie
Client sends previously stored cookies that match the request's origin, path, and Secure/SameSite constraints. All applicable name=value pairs are concatenated into a single header.
Set-Cookie
Server instructs the client to store a cookie with attributes governing lifetime, scope, and security. Each cookie needs its own Set-Cookie header — they are the one HTTP header that MUST NOT be comma-folded.