What the Authorization Header Is
The Authorization request header carries the credentials a client uses to prove its identity to a server. Its grammar is deceptively simple — a scheme name, a space, and credentials whose format depends on the scheme:
Authorization: <scheme> <credentials>
Everything else — Basic, Bearer, Digest, API keys — is just a different value for <scheme> and a different encoding of <credentials>.
The Challenge–Response Flow
Authentication usually starts with the server, not the client. When you request a protected resource without credentials, the server replies 401 Unauthorized and a WWW-Authenticate header naming the scheme it expects:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Admin Area"
The client then retries with an Authorization header that matches. If you are unsure whether a failed request is an auth problem, that 401 plus WWW-Authenticate pair is the tell — see 401 vs 403: Unauthorized vs Forbidden for the distinction.
The Common Schemes
Basic
Credentials are base64(username:password). Simple, reusable, sent on every request, and only safe over HTTPS because Base64 is reversible. Full details in HTTP Basic Authentication: How It Works.
Authorization: Basic YWRtaW46c2VjcmV0MTIz
Bearer
Credentials are an opaque or signed token (often a JWT or OAuth access token). The token can expire and carry scopes, which makes Bearer the modern default for user-facing apps and APIs. Compare them in Basic Auth vs Bearer Token.
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
If your token is a JWT, you can inspect its header and payload with the JWT Parser.
Digest
A challenge–response scheme that hashes the password with a server-provided nonce so the raw password never crosses the wire. More secure than Basic over plain HTTP, but largely superseded by TLS + Bearer tokens today.
API keys
Not a registered HTTP scheme, but commonly carried as Authorization: Bearer <key>, a custom header like X-API-Key, or a query parameter. Convenient for service-to-service calls; treat the key like a password.
Which Scheme Should You Use?
| Need | Scheme |
|---|---|
| Internal API or quick protection, over HTTPS | Basic |
| User login, expiring/scoped access | Bearer (JWT/OAuth) |
| Legacy systems that must avoid sending the password | Digest |
| Machine-to-machine service calls | API key (as Bearer) |
Frequently Asked Questions
What is the format of the Authorization header?
Authorization: <scheme> <credentials>. For Basic it is Basic base64(user:pass); for Bearer it is Bearer <token>.
What is the difference between Authorization: Basic and Bearer?
Basic sends reusable username:password credentials encoded in Base64. Bearer sends a token that can expire and carry scopes. Basic suits internal tooling; Bearer suits user-facing apps.
What is the WWW-Authenticate header?
It is the server's challenge, returned with a 401 response, telling the client which authentication scheme (and realm) to use when it retries.
Generate and decode Authorization: Basic headers with the Basic Auth generator, and look up response codes like 401 with the HTTP status codes reference.