The HTTP WWW-Authenticate response header defines the authentication method that should be used to gain access to a resource.

The WWW-Authenticate header is sent along with a 401 Unauthorized response.

Header type Response header
Forbidden header name no

Syntax

WWW-Authenticate: <type> realm=<realm>

Directives

<type>
Authentication type. A common type is "Basic". IANA maintains a list of Authentication schemes.
realm=<realm>
A description of the protected area. If no realm is specified, clients often display a formatted hostname instead.
charset=<charset>
Tells the client the server's prefered encoding scheme when submiting a username and password. The only allowed value is the case insensitive string "UTF-8". This does not relate to the encoding of the realm string.

Examples

Typically, a server response contains a WWW-Authenticate header that looks like these:

WWW-Authenticate: Basic

WWW-Authenticate: Basic realm="Access to the staging site", charset="UTF-8"

See also HTTP authentication for examples on how to configure Apache or nginx servers to password protect your site your HTTP basic authentication.

Specifications

Specification Title
RFC 7235, section 4.1: WWW-Authenticate HTTP/1.1: Authentication
RFC 7617 The 'Basic' HTTP Authentication Scheme

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Basic supportChrome Full support 1Edge ? Firefox Full support 1IE ? Opera Full support YesSafari ? WebView Android ? Chrome Android Full support YesEdge Mobile ? Firefox Android Full support YesOpera Android Full support YesSafari iOS ? Samsung Internet Android ?

Legend

Full support  
Full support
Compatibility unknown  
Compatibility unknown

See also

Document Tags and Contributors

Contributors to this page: fscholz, mfuji09, rmdso, callumgare, teoli
Last updated by: fscholz,