Skip to main content

Authentication

Digest Authentication

  • Digest Auth improves on Basic Auth by avoiding sending raw credentials.
  • Instead, it uses hashing with a nonce (number used once) to prove identity.
  • Password is never sent directly — the server challenges the client, and the client responds with a hashed value.

How It Works

  1. Initial request → Client sends a request without credentials.

  2. Server challenge → Server responds with 401 Unauthorized and a WWW-Authenticate header containing:

  • A realm (scope of protection).
  • A nonce (unique random string).
  • The hashing algorithm.
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="example.com",
                  qop="auth",
                  nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                  opaque="5ccc069c403ebaf9f0171e9517f40e41"
  1. Client response → Client uses the nonce, username, password, and request details to create a hashed response and resends the request with an Authorization: Digest header.
GET /user/profile HTTP/1.1
Host: api.example.com
Authorization: Digest username="masum",
               realm="example.com",
               nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
               uri="/user/profile",
               response="6629fae49393a05397450978507c4ef1",
               opaque="5ccc069c403ebaf9f0171e9517f40e41"
  1. Server verification → The server calculates the same hash and compares it.
  • If it matches → grant access.
  • If not → reject.

Digest Auth Example Explained

The response value is typically an MD5 hash of:

MD5( username:realm:password ) + MD5( method:uri ) + nonce

This way, the password is never transmitted directly.