Last Updated: 2024-04-23

When starting working with the Project M API, I saw they used an Authorization HTTP header to authorize requests. This document researches the common patterns people use here.

The basic syntax is:

Authorization: <type> <credentials>

For example:

Authorization: Bearer eyJJJJJJJKKKKzI1NiIsInR5cCI6IkpXVCJ9

Available types of authentication schemes

1. Basic (i.e. the HTTP Basic)

The <type> here is set of "Basic".

The credentials, whose key is "username:password", are run through the base64 algo. Thus "admin" and "opensesame" would become "YWRtaW46b3BlbnNlc2FtZQo=", as shown below:

$ base64 <<< "admin:opensesame"

=> YWRtaW46b3BlbnNlc2FtZQo

2. Bearer

Any party in possession of a bearer token (a "bearer") can use it to get access to the associated OAuth 2.0 resources (without demonstrating possession of a cryptographic key)

This token replaces different authorization constructs like username/password.

Authorization: Bearer eyJJJJJJJKKKKzI1NiIsInR5cCI6IkpXVCJ9

The credentials format

This is sent in base64. Even though it might look like a hash, it isn't, and the operation is fully reversible. Therefore consider it no more secure than sending in plaintext. As such, basic authentication is typically used in conjunction with HTTPS to provide confidentiality.

Server responses

To unauthenticated requests, the server should return a response whose header contains a HTTP 401 Unauthorized status

Resources

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
• https://en.wikipedia.org/wiki/Basic_access_authentication
• https://tools.ietf.org/html/rfc6750