Customize the Authorization HTTP header

Thomas Watson picture Thomas Watson · Dec 11, 2011 · Viewed 108.6k times · Source

I need to authenticate a client when he sends a request to an API. The client has an API-token and I was thinking about using the standard Authorization header to send the token to the server.

Normally this header is used for Basic and Digest authentication. But I don't know if I'm allowed to customize the value of this header and use a custom auth-scheme, e.g:

Authorization: Token 1af538baa9045a84c0e889f672baf83ff24

Would you recommend this or not? Or is there an better approach to sending the token?

Answer

DaveRandom picture DaveRandom · Dec 11, 2011

You can create your own custom auth schemas that use the Authorization: header - for example, this is how OAuth works.

As a general rule, if servers or proxies don't understand the values of standard headers, they will leave them alone and ignore them. It is creating your own header keys that can often produce unexpected results - many proxies will strip headers with names they don't recognise.

Having said that, it is possibly a better idea to use cookies to transmit the token, rather than the Authorization: header, for the simple reason that cookies were explicitly designed to carry custom values, whereas the specification for HTTP's built in auth methods does not really say either way - if you want to see exactly what it does say, have a look here.

The other point about this is that many HTTP client libraries have built-in support for Digest and Basic auth but may make life more difficult when trying to set a raw value in the header field, whereas they will all provide easy support for cookies and will allow more or less any value within them.