AuthorizationAuthorization is the request header a client uses to present its credentials to the server. It carries a scheme (Basic, Bearer, Digest, ...) plus matching credentials and is the primary means of accessing protected resources.
It follows a challenge-response flow. Accessing a protected resource without credentials yields 401 Unauthorized plus a `WWW-Authenticate` header naming the required scheme; the client then retries with a matching Authorization header. If authentication succeeds but the user lacks permission, the server returns 403 Forbidden (the 401 vs 403 distinction).
The two most common schemes are Basic and Bearer. Basic merely base64-encodes `user:password` (encoding, not encryption), so it must be used only over HTTPS. Bearer carries an OAuth 2.0/JWT token verbatim; whoever holds the token holds the authority, so token leakage equals account takeover.
Despite being named 'Authorization', it mostly carries authentication information. Proxy authentication uses the separate `Proxy-Authorization` header.
Authorization: <auth-scheme> <credentials>e.g. Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Basic <base64> | base64 of `user:password` (encoding, not encryption). Only over HTTPS. |
Bearer <token> | Carries an OAuth 2.0/JWT token as-is; the most common API auth scheme. |
Digest ... | Challenge-response hashing; avoids sending a plaintext password but rarely used today. |