HTTP Authentication

Basic vs Bearer, WWW-Authenticate, 401 vs 403, tokens/JWT vs sessions/cookies, and why HTTPS is non-negotiable.

HTTP authentication is the process of proving who made a request. HTTP is stateless, so every request must identify itself. When a server requires authentication for a protected resource, it responds with 401 Unauthorized and a WWW-Authenticate header naming the scheme it expects.

GET /v1/me HTTP/1.1

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api", error="invalid_token"

Basic vs Bearer

The two most basic Authorization schemes are Basic and Bearer. Basic sends username:password Base64-encoded. Beware: Base64 is encoding, not encryption — anyone can reverse it. So Basic must only ever run over HTTPS.

GET /v1/me HTTP/1.1
Authorization: Basic dXNlcjpwYXNzd29yZA==

GET /v1/me HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Bearer means 'grant access to whoever bears this token.' You send a previously issued token (usually an OAuth 2.0 access token or a JWT) as-is. Possession of the token is sufficient, so a leaked token is immediately abusable. That's why Bearer also requires HTTPS, and tokens should carry short expirations.

401 vs 403

This is the most commonly confused pair. Despite its name, 401 Unauthorized means an authentication failure — 'I don't know who you are; present credentials.' 403 Forbidden means 'you're authenticated and I know who you are, but you lack authorization for this action.' Logged in but hitting an admin-only page → 403. Not logged in, or an expired token → 401.

Tokens/JWT vs sessions/cookies

There are two broad families for keeping someone authenticated across requests.

When you use cookies, the security attributes matter. HttpOnly blocks JavaScript access and protects the token from XSS; Secure restricts it to HTTPS; SameSite mitigates CSRF. Storing a Bearer token in the browser's localStorage is XSS-exposed, so an HttpOnly cookie is often the safer choice.

Why HTTPS is required

Whether Basic or Bearer, credentials and tokens travel in request headers essentially in the clear. Sent without HTTPS, an attacker on the same network can sniff and reuse them to take over the account. Every form of authentication must therefore run over TLS (HTTPS) — not optional, but a minimum requirement.