Tech Monger

Programming, Web Development and Computer Science.

Skip to main content| Skip to information by topic

How HTTP Basic Access Authentication Works

If you are building simple web application or API which requires user authentication then you can make use of basic access authentication as specified in RFC 7617. This form of authorization does not require database, cookies or session to authenticate users rather authentication system is built in modern browsers. This can also be called as browser based authentication. Let us see how it works ?

Client Server Communication - Request and Response

Below are the ordered list of events that take place during basic http authentication along with diagram and explanation of each step.

Client Server Communication Basic Access Authentication
Working of HTTP Basic Access Authentication
  1. Browser (Client) requests url end point which requires basic access authentication. Example /login/
  2. Server sends HTTP status code 401 along with an additional http header WWW-Authenticate with value Basic indicating that client should initiate Basic Access Authentication.
    WWW-Authenticate : Basic
  3. When client browser encounters above header it renders login pop up having an input field for username and password like below.
  4. Sign in Pop Up Google Chrome
    Browser Sign In Box - Username & Password
  5. Client provides value for username and password in popup and submits the form. Here browser encodes entered username and password separated by colon using base64 encoding. For example let's say you entered username as john and password as hunter2 then browser will encode it like below.
    Encoding : Base64Encode('john:hunter2')
    Output   : am9objpodW50ZXIy
  6. Client browser then sends encoded username and password value inside Authorization header. Note that it also prepend string Basic before encoded value like below.
    Authorization : Basic am9objpodW50ZXIy
  7. Server decodes an username and password sent by client in an Authorization header and compares it with valid username and password as configured on server. If both values match then it sends HTTP status code 200 along with requested data.

    But if details are incorrect then server sends 401 with WWW-Authenticate as mentioned in step 2


Security Considerations

Note that username and password passed by client is base64 encoded and not encrypted. Which means that anybody listening on the network can easily decode credentials hence it is highly advisable to use basic auth with HTTPS connection and not over HTTP.

Accessing API

If your web server API implements basic authentication and if you want to access it via script or some other tool then you should make HTTP GETrequest to API endpoint and pass Authorization header with base64 encoded credentials as discussed above.


With basic access authentication you can implement simple login system for your web application in any language of your choice. In advance setup you can pass Header WWW-Authenticate which world prompt client to send encoded data with specific character set encoding using key charset and implement access control over the certain part of the web application using key realm.

Tagged Under : Open Source Web