Authorization Header Parser

How to use

1. 1Pick a mode: Authorization for a request header (Authorization or Proxy-Authorization), or WWW-Authenticate for a response challenge (WWW-Authenticate or Proxy-Authenticate).
2. 2Paste the full header line into the input box. The leading header name like "Authorization:" is optional; if you include it the tool strips it for you.
3. 3Read the parsed scheme card. The scheme name, RFC reference, and a short description appear at the top, followed by every credential field broken out into its own row with a copy button.
4. 4Press Show on any masked secret field (Basic password, Digest response, AWS Signature) to reveal it inline before copying. The value never leaves your browser.
5. 5Watch the notes panel for validation warnings: missing required Digest parameters, an expired JWT exp, a Bearer token outside the RFC 6750 grammar, an AWS Credential scope that does not end with aws4_request, or a Basic credential that decodes to bytes that are not valid UTF-8.
6. 6Switch to Batch mode to paste many header lines at once; each line is parsed independently and the mode is auto-detected per line when the line starts with a known header name.
7. 7Load one of the sample headers (Basic, Bearer JWT, Digest, AWS Signature V4, Token, or a multi-challenge WWW-Authenticate) to learn what each scheme should look like.

About this tool

Authorization Header Parser decodes any HTTP Authorization, Proxy-Authorization, WWW-Authenticate, or Proxy-Authenticate header value into typed fields with per-field validation. Paste a full header line, with or without the leading header name, and the parser splits the scheme from the credential, classifies the scheme against the standards, and walks the credential according to that scheme's real grammar. Basic (RFC 7617) credentials are base64 decoded, split on the first colon, and shown as separate username and password fields; the password is masked behind a Show toggle and the byte count is surfaced so you can confirm the wire size matches what your client sent. Bearer (RFC 6750) tokens are inspected for the RFC 7235 token68 grammar and length, then auto-detected as JWTs when the value carries three base64url segments; JWT header and payload JSON are decoded and the alg, typ, kid, iss, sub, iat, and exp claims are split into individual rows with a human relative time for the expiry. Digest (RFC 7616) and Hawk parameter lists are tokenized with full quoted-string and backslash-escape support, so every standard parameter (username, realm, nonce, uri, qop, nc, cnonce, response, opaque, algorithm, ts, mac, ext, app, dlg) is broken out. AWS Signature Version 4 (AWS4-HMAC-SHA256) headers are split into Credential, SignedHeaders, and Signature, and the credential scope is further split into access-key-id, date, region, service, and the aws4_request terminator. Custom vendor schemes (Token, ApiKey, SSWS, GoogleLogin, Negotiate, NTLM) are validated against the token68 grammar and surfaced as an opaque credential. In WWW-Authenticate mode the parser respects RFC 7235's multi-challenge grammar: commas inside quoted parameter values do not split challenges, so a single Basic plus Bearer response challenge is shown as two cards. A batch mode accepts many header lines at once and produces a summary row per line, useful when reviewing access logs or fixtures. Every byte stays in your browser; base64 decoding runs through atob and TextDecoder, and no header value, decoded credential, or token is uploaded.

Free to use. Works in your browser. No signup, no login.