WWW-Authenticate Header Generator

How to use

1. 1Pick the scheme tab that matches your 401: Basic for a browser login prompt, Bearer for OAuth 2.0 APIs, Digest for hashed challenge-response, or Custom for a vendor scheme.
2. 2Fill in the parameters. Set a realm to label the protection space, then add the scheme-specific fields: charset for Basic, error and scope for Bearer, or nonce, qop, and algorithm for Digest.
3. 3Load a preset (Basic login, Bearer token expired, Bearer missing scope, or Digest SHA-256) to seed a common challenge, or use Custom to type your own scheme name and name=value parameters.
4. 4Read the generated header line and the plain-English summary, then copy either the value alone or the full header line. Watch the byte counter if your gateway has header size limits.
5. 5Toggle Proxy challenge (407) to emit Proxy-Authenticate instead of WWW-Authenticate when the challenge comes from a proxy rather than the origin server.
6. 6Resolve any errors in the Validation panel (missing realm, unknown Bearer error code, missing Digest nonce), then copy a server snippet to return the challenge from a 401 in your stack.

About this tool

WWW-Authenticate Header Generator builds the value of the HTTP WWW-Authenticate response header defined by RFC 9110 Section 11.6.1. A server returns this header on a 401 Unauthorized response (or Proxy-Authenticate on a 407 Proxy Authentication Required response) to challenge the client: it names the authentication scheme the client must use and carries the parameters that scheme needs. The tool covers the four schemes behind almost every challenge in the wild, each with its own real parameters. Basic (RFC 7617) emits a realm, which the browser shows as the label on its username and password prompt, plus an optional charset="UTF-8" that hints non-ASCII credentials should be UTF-8 encoded. Bearer (RFC 6750) adds the OAuth 2.0 error parameters, so you can tell an API client exactly why its token was rejected: error=invalid_token means refresh the token, error=insufficient_scope plus a scope list means request a wider token, and error=invalid_request means the Authorization header was malformed. Digest (RFC 7616) builds a challenge-response flow where the password is never sent in clear text, with a server-generated nonce, a quality-of-protection value (qop="auth"), an algorithm (SHA-256 is preferred over the weak legacy MD5), an optional opaque value, and stale=true for a nonce-expiry retry that does not re-prompt the user. Custom lets you type any vendor or internal scheme name with free-form parameters, one name=value per line, for SCRAM, Hawk, Negotiate, or a private scheme; a line with no equals sign is treated as a bare token68 value. Every value is quoted and escaped to the HTTP quoted-string grammar, so a realm or description that contains spaces, quotes, or backslashes never breaks the header. The output panel shows the full header line with a copy button, a byte counter for the wire size, and a plain-English explanation of what the browser or client will do when it receives the challenge. Validation flags real mistakes: a missing realm on Digest, a Bearer error code that is not one of the three standard values, a missing Digest nonce, a scheme name with illegal characters, and the use of MD5 or the legacy no-qop flow. A set of copy-ready response snippets returns the header from a 401 with the correct status line in Nginx, Apache, Express, Next.js, FastAPI, Flask, Go net/http, and a raw HTTP response. Everything is computed locally with native string handling and TextEncoder, so the values you type are never uploaded. To decode a challenge you received instead of building one, use the Authorization Header Parser, which reads WWW-Authenticate into typed fields.

Free to use. Works in your browser. No signup, no login.