AUTHENTICATION
Digest Auth
RFC 7616 Digest authentication with automatic challenge-response flow — API Studio handles the 401 handshake transparently so you only see the final successful response.
How It Works
Digest auth is a challenge-response protocol. Unlike Basic auth, the password is never sent over the wire — instead, a hash computed from the credentials and server-provided nonce is transmitted.
API Studio handles the entire two-step handshake automatically. You provide your username and password, and the rest happens behind the scenes.
Challenge-Response Flow
The digest authentication process involves two HTTP round-trips, but API Studio handles both transparently:
WWW-Authenticate: Digest containing nonce, realm, qop, and algorithmAuthorization: Digest header computed from the challenge parameters + your credentialsTransparent handling: You only see the final successful response in the Response Viewer. The intermediate 401 challenge is hidden. Check the Actual Request tab to see the final request with the computed Digest auth header.
Configuration
Select Digest Auth from the Auth type dropdown. Only two fields are needed:
| Field | Description |
|---|---|
| username | Your account username (supports {{variables}}) |
| password | Your account password (supports {{variables}}) |
All other parameters (nonce, realm, qop, opaque, nc, cnonce) are extracted from the server's 401 challenge automatically.
Supported Algorithms
API Studio supports all standard digest algorithms specified by the server:
Legacy, widely supported
Modern, recommended
Session-based variant
The algorithm is determined by the server's WWW-Authenticate challenge — you don't need to configure it manually.
Variable Support
Both username and password fields support {{variable}} placeholders.
Example with environment variables:
Username: {{digest_user}}
Password: {{digest_pass}}
Important: Variables are interpolated before the digest computation. The resolved plaintext values are used to compute the hash — the {{placeholder}} syntax is never sent over the wire.
Security Note
Auth credentials appear in multiple places:
- Actual Request tab — shows resolved auth headers with real values
- Code Export — generated code includes resolved auth values
- History — saved request headers contain injected auth (scrubbed only if from vault)
- collections.json — auth config saved in plain text (committed to git)
Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.