With Digest auth, the client sends a first request to the API, and the server responds with a few details, including a number that can be used only once (a nonce), a realm value, and a 401
unauthorized response. You then send back an encrypted array of data including a username and password combined with the data received from the server in the first request. The server uses the passed data to generate an encrypted string and compares it against what you sent to authenticate your request.
In the Authorization tab for a request, select Digest Auth from the Type dropdown list. Postman will present fields for both stages of authentication request. It will autocomplete the fields for the second request in the Advanced section using data returned from the server by the first request. To enable Postman to automate the flow, enter Username and Password values (or variables) and these will be sent with the second request.
If you don't want Postman to automatically extract the data, select Yes, disable retrying the request in the left column. If you do this, you will need to complete the advanced fields and run each request manually.
Setting the fields in the Advanced section is optional. Postman will populate them automatically when your first request runs.
WWW-Authenticate
response header.WWW-Authenticate
response header.MD5
and SHA
algorithms.WWW-Authenticate
response header.WWW-Authenticate
response header, which will be used unchanged with URIs in the same protection space.Last modified: 2023/05/26
Additional resources
Videos
Blog posts
Case Studies