WWW-AuthenticateWWW-Authenticate rides on a 401 Unauthorized response to tell the client which authentication scheme it must use to present credentials. It acts as the server's authentication challenge.
The value consists of an auth scheme (Basic, Bearer, Digest, etc.) and parameters like realm.
Flow: accessing a protected resource without credentials makes the server reply 401 + WWW-Authenticate: Basic realm="...". The client (browser) then shows a login prompt or resends with stored credentials in the Authorization header.
The Bearer scheme is used for OAuth 2.0/JWT token auth and can convey a specific failure reason via parameters like error="invalid_token" and error_description="..." when a token is expired or invalid, letting the client respond appropriately (e.g. refresh the token).
realm names the protection space; resources in the same realm share one set of credentials. A single response may include multiple WWW-Authenticate headers offering several schemes, and the client picks the strongest one it supports.
WWW-Authenticate: <scheme> [realm="..."][, <param>=<value>]*e.g. WWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="expired"
Basic | Basic auth sending Base64 user:password. Use only over HTTPS. |
Bearer | Token-based auth (OAuth 2.0/JWT). May include error/error_description params. |
Digest | Challenge-response auth avoiding plaintext password transmission. |
realm="<name>" | Protection space name — the same realm shares one set of credentials. |