Protocol
Server side
When the server wants the user agent to authenticate itself towards the server, it can send an authentication request.
This request should be sent using the HTTP 401 Not Authorized response code containing a WWW-Authenticate HTTP header.
The WWW-Authenticate header for basic authentication (used most often) is constructed as following:
WWW-Authenticate: Basic realm="insert realm"Client side
When the user agent wants to send the server authentication credentials it may use the Authorization header.
The Authorization header is constructed as follows:
- Username and password are combined into a string "username:password"
- The resulting string literal is then encoded using Base64
- The authorization method and a space i.e. "Basic " is then put before the encoded string.
For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then the header is formed as follows:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==Read more about this topic: Basic Access Authentication