Digest authentication (RFC 7616) is a challenge-response scheme built to avoid sending the password in cleartext or Base64. The server issues a nonce (one-time value); the client hashes the username, password, nonce, request method, and URI and sends only that digest, so the raw password never crosses the wire.
Authorization: Digest username=..., realm=..., nonce=..., uri=..., response=...The flow: the first request returns 401 with `WWW-Authenticate: Digest realm=..., nonce=..., qop="auth", algorithm=...`. The client computes `HA1 = H(username:realm:password)` and `HA2 = H(method:uri)`, then produces `response = H(HA1:nonce:nc:cnonce:qop:HA2)` and resends it in the Authorization header. The cnonce (client nonce) and nc (nonce count) exist to defeat replay and resubmission.
It was originally designed around MD5, which is weak by today's standards; `-sess` variants and SHA-256 support were added, but browser support and interoperability are inconsistent. Verifying the password often requires the server to store HA1 (`H(user:realm:password)`), which is incompatible with modern salted hashing (bcrypt/argon2).
Decisively, as TLS became ubiquitous, 'HTTPS + Basic' or 'HTTPS + Bearer' replaced most of Digest's advantages. Digest is therefore effectively legacy and is rarely chosen for new designs.
Authorization: Digest username="alice", realm="api@example.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"# curl performs the challenge/response handshake for you
curl --digest -u alice:s3cret https://api.example.com/protectedHTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="api@example.com", qop="auth", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41", algorithm=SHA-256