WWW-Authenticate response header defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource.
Note: This header is part of the General HTTP authentication framework, which can be used with a number of authentication schemes. Each "challenge" lists a scheme supported by the server and additional parameters that are defined for that scheme type.
A server using HTTP authentication will respond with a
Unauthorized response to a request for a protected resource. This response must include at least one
WWW-Authenticate header and at least one challenge, to indicate what authentication schemes can be used to access the resource (and any additional data that each particular scheme needs).
Multiple challenges are allowed in one
WWW-Authenticate header, and multiple
WWW-Authenticate headers are allowed in one response. A server may also include the
WWW-Authenticate header in other response messages to indicate that supplying credentials might affect the response.
After receiving the
WWW-Authenticate header, a client will typically prompt the user for credentials, and then re-request the resource. This new request uses the
Authorization header to supply the credentials to the server, encoded appropriately for the selected "challenge" authentication method. The client is expected to select the most secure of the challenges it understands (note that in some cases the "most secure" method is debatable).