How to set the authorization header using cURL

Question

How do I pass authorization header using cURL? ( executable in /usr/bin/curl).

score 509 · Accepted Answer · edited Nov 04 '21 at 08:52

See part 6. HTTP Authentication

HTTP Authentication

HTTP Authentication is the ability to tell the server your username and password so that it can verify that you're allowed to do the request you're doing. The Basic authentication used in HTTP (which is the type curl uses by default) is plain text based, which means it sends username and password only slightly obfuscated, but still fully readable by anyone that sniffs on the network between you and the remote server.

To tell curl to use a user and password for authentication:

curl --user name:password http://www.example.com

The site might require a different authentication method (check the headers returned by the server), and then --ntlm, --digest, --negotiate or even --anyauth might be options that suit you.

Sometimes your HTTP access is only available through the use of a HTTP proxy. This seems to be especially common at various companies. A HTTP proxy may require its own user and password to allow the client to get through to the Internet. To specify those with curl, run something like:

curl --proxy-user proxyuser:proxypassword curl.haxx.se

If your proxy requires the authentication to be done using the NTLM method, use --proxy-ntlm, if it requires Digest use --proxy-digest.

If you use any one these user+password options but leave out the password part, curl will prompt for the password interactively.

Do note that when a program is run, its parameters might be possible to see when listing the running processes of the system. Thus, other users may be able to watch your passwords if you pass them as plain command line options. There are ways to circumvent this.

It is worth noting that while this is how HTTP Authentication works, very many web sites will not use this concept when they provide logins etc. See the Web Login chapter further below for more details on that.

@Vixed This question is explicitly not about PHP. [What's wrong with Google's results](s)? — Oli, Apr 08 '16 at 14:16
The question is about Authorization not authentication, so maybe the OP should change the title of the question — jam, Apr 28 '20 at 19:00

Tony · Answer 2 · 2011-12-31T18:52:30.750

472

Just adding so you don't have to click-through:

curl --user name:password http://www.example.com

or if you're trying to do send authentication for OAuth 2:

curl -H "Authorization: OAuth <ACCESS_TOKEN>" http://www.example.com

edited Dec 31 '11 at 18:52

answered Dec 31 '11 at 18:42

Tony

4,804
1
14
4

23

Many API now use header authorization tokens. The `-H` option is great. – eliocs Nov 23 '12 at 17:45
29

If you use -u or --user, Curl will Encode the credentials into Base64 and produce a header like this: `-H Authorization: Basic ` – Timothy Kanski Dec 22 '16 at 19:20
I'm trying to add an authorization header with `HMAC-SHA256` always getting an error of missing authorization header – Steven Aguilar Jun 29 '18 at 18:40
7

Additionally, if you need the `` as mentioned by @timothy-kansaki, you can get the encoded credential using the command: `cred="$( echo $NAME:$PASSWORD | base64 )"; curl -H "Authorization: Basic $cred" https://example.com`. For reference, see https://stackoverflow.com/questions/16918602/how-to-base64-encode-image-in-linux-bash-shell – David Golembiowski Dec 16 '19 at 21:03
5

@DavidGolembiowski by default echo will throw in a newline, at least on macs. As mentioned in your link, you'll want `echo -n` to prevent the newline from being included – brariden Jul 21 '20 at 17:05
1

... or better use `creds="$(printf $NAME:$PASSWORD | base64)"` – MrE Apr 12 '22 at 23:21

score 253 · Answer 3 · answered Jul 30 '14 at 12:14

253

Bearer tokens look like this:

curl -H "Authorization: Bearer <ACCESS_TOKEN>" http://www.example.com

answered Jul 30 '14 at 12:14

Steve Tauber

9,551
5
42
46

8

And if you're looking to do 'Basic' authorisation, just swap 'Bearer' for 'Basic' – Darren Shewry Nov 20 '14 at 13:56
I've got the strangest thing, I'm getting a "Wrong format of Authorization header" and "HTTP-200". So the server accepts my authorization, but the format is wrong? – Groostav Mar 26 '20 at 20:36

score 114 · Answer 4 · edited May 23 '21 at 21:09

114

This worked for me:

curl -H "Authorization: Bearer xxxxxxxxxxxxxx" https://www.example.com/

edited May 23 '21 at 21:09

Danon

2,771
27
37

answered Oct 07 '15 at 02:43

timj98

1,249
1
9
10

what are you using for JWT ? – Ciasto piekarz Dec 24 '18 at 14:08
1

Don't you mean `Authorization: bearer xxxxxxxxx`? – jlh Feb 13 '20 at 19:51
2

@jlh you mean `Bearer` – Daniel W. Mar 03 '20 at 15:37
7

I was almost sure that it's case-insensitive, but it seems I'm wrong. Yes I meant `Bearer`. – jlh Mar 04 '20 at 09:14

Nagendra Rao · Answer 5 · 2014-06-04T19:21:42.350

(for those who are looking for php-curl answer)

$service_url = 'https://example.com/something/something.json';
$curl = curl_init($service_url);
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($curl, CURLOPT_USERPWD, "username:password"); //Your credentials goes here
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $curl_post_data);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); //IMP if the url has https and you don't want to verify source certificate

$curl_response = curl_exec($curl);
$response = json_decode($curl_response);
curl_close($curl);

var_dump($response);

Devaroop · Answer 6 · 2016-05-28T10:52:22.977

30

For HTTP Basic Auth:

curl -H "Authorization: Basic <_your_token_>" http://www.example.com

replace _your_token_ and the URL.

edited May 28 '16 at 10:52

answered May 02 '16 at 10:13

Devaroop

7,900
2
37
34

When using oauth where would the Authorization token come from? I am trying to use curl to download files from a site where I use a user and password but it seems to be failing due to oauth2 in use. – ctrl-alt-delete Aug 31 '16 at 08:22
@toasteez you have to go through the Oauth2 flow to receive a token. Typically its a two step process and should be detailed in the server's documentation. – Devaroop Sep 08 '16 at 05:58
18

good answer. a small helper `echo -ne ":" | base64 --wrap 0` will generate the basic auth token. – Mike D Dec 13 '16 at 20:53
3

@MikeD `-H "Authorization: Basic <_your_token_>"` does the same effect as `--user login:password`. You can check it with `curl -v` – vladkras Jun 02 '17 at 03:23
2

@vladkras my response is a _helper_ for this answer. in my experience, it is better to understand how to create the token instead of relying on curl to generate it. – Mike D Jun 03 '17 at 00:15

score 19 · Answer 7 · edited May 31 '16 at 23:49

19

Be careful that when you using: curl -H "Authorization: token_str" http://www.example.com

token_str and Authorization must be separated by white space, otherwise server-side will not get the HTTP_AUTHORIZATION environment.

edited May 31 '16 at 23:49

ljk

488
1
5
11

answered Apr 12 '12 at 12:35

jianpx

3,190
1
30
26

6

Not true, if a white space is required, your HTTP server is broken. Also you need two strings a type and then the token. – Alexis Wilke Jul 21 '17 at 04:07

score 10 · Answer 8 · answered Mar 22 '18 at 06:56

If you don't have the token at the time of the call is made, You will have to make two calls, one to get the token and the other to extract the token form the response, pay attention to

grep token | cut -d, -f1 | cut -d\" -f4

as it is the part which is dealing with extracting the token from the response.

echo "Getting token response and extracting token"    
def token = sh (returnStdout: true, script: """
    curl -S -i -k -X POST https://www.example.com/getToken -H \"Content-Type: application/json\" -H \"Accept: application/json\" -d @requestFile.json | grep token | cut -d, -f1 | cut -d\\" -f4
""").split()

After extracting the token you can use the token to make subsequent calls as follows.

echo "Token : ${token[-1]}"       
echo "Making calls using token..."       
curl -S -i -k  -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer ${token[-1]}" https://www.example.com/api/resources

score 10 · Answer 9 · answered Mar 05 '21 at 15:20

10

As of curl 7.61.0 you can use the --oauth2-bearer <token> option to set the correct Bearer authorization headers.

answered Mar 05 '21 at 15:20

Tachi

489
8
16

score 10 · Answer 10 · answered May 24 '21 at 21:29

This example includes the following:

POST request
Header Content-Type
Header Authorization
Data flag with JSON data
Base64 encoded token
Ref-1: curl authorization header
Ref-2: curl POST request

curl -X POST -H "Content-Type: application/json" -d '{"name”:”Johnny B. Goode”, "email”:”johnny.b.goode@mail.com"}' -H "Authorization: Bearer $(echo -n  Guitar Maestro | base64)" https://url-address.com

score 3 · Answer 11 · answered Oct 13 '22 at 06:25

3

The below worked for me

curl -H "Authorization: Token xxxxxxxxxxxxxx" https://www.example.com/

answered Oct 13 '22 at 06:25

vishal kulkarni

173
1
8

score 2 · Answer 12 · answered Mar 03 '22 at 16:29

2

For those doing Token-Based authentication ... make sure you do :

curl -H "AuthToken: "

instead !!

answered Mar 03 '22 at 16:29

Mário de Sá Vera

380
1
4
12

score 2 · Answer 13 · answered Nov 06 '22 at 20:08

2

FWIW, on Mac OS I've found that I need to surround the target url with quotes when it contains query parameters, e.g.,

curl -H "Authorization: Token xxxxxxxxxxxxxx" "https://www.example.com/?param=myparam"

answered Nov 06 '22 at 20:08

Bruce Altner

51
1
6

what tool i can use to get base64 string, can I just use any online tool ? like `https://www.base64encode.org/`? – user1982778 Jul 21 '23 at 13:44

score 1 · Answer 14 · answered Jun 10 '21 at 22:18

1

A simple example is using parameters with authorization converted to base64

curl -XPOST 'http://exemplo.com/webhooks?Authorization=Basic%20dGVzdDoxMjM0NTYK'

answered Jun 10 '21 at 22:18

Jonathan Bezerra de Oliveira

31
2

How to set the authorization header using cURL

14 Answers14

Linked