There are cases which require authentication of the client requests for resources on the origin server. To challenge authentication and authorization of an HTTP client, the server sends an "unauthorized message" containing the WWW-Authenticate header field. This field carries the authentication scheme, the case-sensitive realm defining the protection space to perform authentication for, and a list of comma-separated attribute/value pairs. In result, the user agent returns an Authorization header holding credentials for the realm of the requested resource.

The Basic type of authentication scheme is supported. As specified in RFC 2617, the client should identify themselves through Base64 encoded user name and password for each realm. The server serves the request only if it finds the name and password in the protection space of the resource.

The user name may be case-sensitive depending on the authentication support of the HTTP server. The flaw of the Basic scheme is that the user name and password are transmitted over the network without encryption.