Skip to main content

Basic Authentication

It is a mechanism to authenticate access to the resource over HTTP.

Credentials are sent in the request headers in the form of Authorization: Basic <base64 encoded username and password>.

Ever seen this page?

Auth Basic

This is basic authentication in play!

How does it work?

  1. Client tries to access some protected URL or other resource.
  2. Server checks if the request contains the Authorization header with valid username and password.
    • (Success) If it exists and is valid, the server sends the requested resource and status: 200.
    • (Go to step 3) If credentials don't exists or are invalid, the server sends status: 401 and the WWW-Authenticate header with the Basic realm="Restricted Area" value.
  3. The client receives the 401 status and the WWW-Authenticate header and shows the login form.
  4. The client fills in the form and sends the request again. The credentials are encoded using base64 and sent in the Authorization header. base64(username:password).
  5. (Go to step 2) Continue cycle.

Note:

  • Basic auth is not considered secure unless used with TSL/HTTPS. Because anyone can intercept the request and decode the credentials.
  • Basic auth can also be used in APIs, but in that case it is just like normal token-based authentication.