The “WWW-Authenticate” header field consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the effective request URI. It MUST be included in 401 (Unauthorized) response messages and MAY be included in other response messages to indicate that supplying credentials (or different credentials) might affect the response. (RFC 7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication)

If a server receives a request for an access-protected object, and an acceptable Authorization header is not sent, the server responds with a “401 Unauthorized” status code, and a WWW-Authenticate header as per the framework defined above. (RFC 7616: HTTP Digest Access Authentication)


Return to list of all ( HTTP Header Fields | Web Concepts )