ToolBelt

Authorization Header Parser

Decode a Basic/Bearer/Digest Authorization header.

Open tool

Overview

The Authorization header parser decodes the Authorization: value from an HTTP request — Basic, Bearer, Digest, AWS Signature v4, or any other registered scheme — into a structured view. Paste a header, see the scheme, the credentials, and any sub-parameters broken out individually, with Base64 decoded into username and password where applicable.

Developers debugging an API call, security engineers reviewing captured traffic, and support staff triaging "why is my request returning 401" all need to read these headers without writing a script. Long-tail keywords covered: decode HTTP Basic auth header online, parse Bearer token from Authorization header, and inspect Digest auth nonce and qop.

How it works

The Authorization header is defined by RFC 7235. Its value starts with a scheme name (Basic, Bearer, Digest, AWS4-HMAC-SHA256, …) followed by a space and a scheme-specific payload. Basic carries a Base64-encoded username:password pair. Bearer carries an opaque token — typically a JWT or an OAuth 2 access token. Digest, AWS Sig v4, and Mutual all use key=value parameter lists with quoted strings.

Parsing is mostly straightforward, but corner cases bite: Base64 padding may be missing, parameters may be unquoted, and some schemes allow Authorization to appear multiple times. The parser normalises whitespace, decodes Base64 safely, and surfaces every parameter even when the original header is malformed.

Examples

  • Basic dXNlcjpwYXNz → scheme Basic, username user, password pass.
  • Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.abc → a JWT split into header/payload/signature.
  • Digest username="alice", realm="test", nonce="dcd98b...", uri="/dir/index.html", response="6629fae..." → keyed parameters.
  • AWS4-HMAC-SHA256 Credential=AKIA.../20240101/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-date, Signature=... → an AWS request signature.

FAQ

Is Basic authentication safe?

Only over TLS. Base64 is encoding, not encryption — anyone on the wire can decode user:password in milliseconds. Never send Basic credentials over plain HTTP.

Can I decode the JWT inside a Bearer header?

The parser splits the token into its three Base64URL segments and decodes the header and payload JSON. Verifying the signature requires the issuer's public key and is out of scope here.

What does qop=auth-int mean in Digest?

It signals that integrity protection covers both the headers and the request body, not just the headers. It is rarely used in practice — most servers only implement qop=auth.

Are credentials stored or logged?

No. Parsing happens locally in your browser; nothing is sent to a server.

Try Authorization Header Parser

An unhandled error has occurred. Reload ×