WWW-Authenticate Inspect

Inspect auth headers and token data in your browser. No input is sent to a server. Use it for first-pass checks on expiry, claims, and schemes.

Status

Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.

How to use

Paste WWW-Authenticate or Response Headers and click “Parse”. It summarizes schemes and parameters.

Notes (this tool)

  • Accepts WWW-Authenticate: header lines (multi-line paste is OK).
  • If multiple challenges are present, they are listed by scheme.

About this page

What does this tool do?

Split WWW-Authenticate to list schemes (Basic/Bearer/Digest, etc.) and parameters (realm/error, etc.).

Useful for diagnosing 401 errors and confirming auth requirements (realm/charset/errors).

Basics (401 and WWW-Authenticate)

  • 401 responses typically include WWW-Authenticate.
  • WWW-Authenticate tells the client how to authenticate.
  • Multiple schemes can be offered at once.

Input examples

  • WWW-Authenticate: Basic realm="admin", charset="UTF-8"
  • WWW-Authenticate: Bearer realm="api", error="invalid_token"
  • Paste full Response Headers

Common auth schemes

  • Basic: ID/password (Base64). Use over HTTPS.
  • Bearer: access tokens (e.g., JWT)
  • Digest: challenge-response (legacy)
  • Negotiate/NTLM: integrated auth (often internal environments)

Parameters (quick)

  • realm: authentication scope
  • charset: encoding for Basic (e.g., UTF-8)
  • error / error_description: details for Bearer errors

Common pitfalls

  • 401 without WWW-Authenticate
  • Using Basic without HTTPS
  • Missing Bearer error details in error_description
  • Client only tries one scheme when multiple are offered

Debugging workflow (recommended)

  • Extract WWW-Authenticate via Response Headers Parser
  • Summarize schemes/params with this tool
  • For Bearer, inspect with JWT Decoder / JWT Verifier
  • HTTP Status Inspect
  • Response Headers Parser
  • Request Headers Parser
  • JWT Decoder
  • JWT Verifier

What this tool does

  • Parse WWW-Authenticate schemes/params
  • List multiple challenges
  • Highlight common pitfalls

Operational notes

  • Result output alone is not enough for trust decisions. Always validate signatures and issuer.
  • Clock skew and environment differences affect reproducibility, so record test time and settings.

Referenced specs

  • RFC 9110 (HTTP Semantics)
  • RFC 7617 (Basic)
  • RFC 6750 (Bearer Token)
  • MDN: WWW-Authenticate

FAQ

Is a 401 without WWW-Authenticate wrong?

Many clients rely on WWW-Authenticate. Without it, auth flow is unclear and user-unfriendly.

Are Bearer error fields required?

Not required, but highly useful for troubleshooting.

What if multiple schemes are present?

Client behavior varies; check the order and what the client supports.

References

  1. RFC 9110
  2. RFC 7617
  3. RFC 6750
  4. MDN: WWW-Authenticate
  5. MDN: HTTP authentication

Page-specific case studies

Use this page to parse 401 challenge details and verify what the server is requesting from clients.

  • Check whether realm values match API boundaries.
  • Verify consistency of error and error_description fields.
  • Confirm scope hints reflect real authorization requirements.

Page-specific implementation checklist

  • Define challenge format for 401 responses in your spec.
  • Provide localized error details outside challenge headers.
  • Provide representative challenge examples for client implementers.
  • Add monitoring for malformed challenge values.

These links are generated from site_map rules in recommended diagnostic order.

  1. JWT 401/403 Diagnostic Playbook — Separate 401 and 403 using Authorization, WWW-Authenticate, claims, and signature checks
  2. JWT Decoder vs Verifier — Clarify decode vs signature verification roles and connect to 401/403 troubleshooting flow
  3. Authorization Inspect — Parse Authorization header formats
  4. JWT Verifier — Verify JWT signatures (HS/RS/ES)
  5. JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
  6. JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
  7. OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
  8. JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims

Auth

Trace auth failures across Bearer, WWW-Authenticate, and JWT