Editing HTTP (section)

== HTTP authentication ==
HTTP provides multiple authentication schemes such as [[basic access authentication]] and [[digest access authentication]] which operate via a challenge–response mechanism whereby the server identifies and issues a challenge before serving the requested content.

HTTP provides a general framework for access control and authentication, via an extensible set of challenge–response authentication schemes, which can be used by a server to challenge a client request and by a client to provide authentication information.<ref name="rfc9110">{{cite IETF |rfc=9110 |title=HTTP Semantics |first1=R. |last1=Fielding |first2=M. |last2=Nottingham |first3=J. |last3=Reschke |publisher=IETF |date=June 2022 |ref=ietf}}</ref>

The authentication mechanisms described above belong to the HTTP protocol and are managed by client and server HTTP software (if configured to require authentication before allowing client access to one or more web resources), and not by the web applications using [[#HTTP application session|a web application session]].

=== Authentication realms ===
The HTTP Authentication specification also provides an arbitrary, implementation-specific construct for further dividing resources common to a given root [[Uniform Resource Identifier|URI]]. The realm value string, if present, is combined with the canonical root URI to form the protection space component of the challenge. This in effect allows the server to define separate authentication scopes under one root URI.<ref name="rfc9110" />