Skip to main content

1. Introduction

This document defines the "Basic" Hypertext Transfer Protocol (HTTP) authentication scheme, which transmits credentials as user-id/password pairs, encoded using Base64 (HTTP authentication schemes are defined in [RFC7235]).

This scheme is not considered to be a secure method of user authentication unless used in conjunction with some external secure system such as TLS (Transport Layer Security, [RFC5246]), as the user-id and password are passed over the network as cleartext.

The "Basic" scheme previously was defined in Section 2 of [RFC2617]. This document updates the definition, and also addresses internationalization issues by introducing the 'charset' authentication parameter (Section 2.1).

Other documents updating RFC 2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication" ([RFC7235], defining the authentication framework), "HTTP Digest Access Authentication" ([RFC7616], updating the definition of the "Digest" authentication scheme), and "HTTP Authentication-Info and Proxy-Authentication-Info Response Header Fields" ([RFC7615]). Taken together, these four documents obsolete RFC 2617.

1.1. Terminology and Notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

The terms "protection space" and "realm" are defined in Section 2.2 of [RFC7235].

The terms "(character) repertoire" and "character encoding scheme" are defined in Section 2 of [RFC6365].

Last updated on