← Back to Overview

AUTHENTICATION

Digest Auth

RFC 7616 Digest authentication with automatic challenge-response flow — API Studio handles the 401 handshake transparently so you only see the final successful response.

How It Works

Digest auth is a challenge-response protocol. Unlike Basic auth, the password is never sent over the wire — instead, a hash computed from the credentials and server-provided nonce is transmitted.

API Studio handles the entire two-step handshake automatically. You provide your username and password, and the rest happens behind the scenes.

Challenge-Response Flow

The digest authentication process involves two HTTP round-trips, but API Studio handles both transparently:

1
Initial Request — API Studio sends your request without auth credentials
2
Server Challenge (401) — Server responds with WWW-Authenticate: Digest containing nonce, realm, qop, and algorithm
3
Authenticated Retry — API Studio automatically retries with an Authorization: Digest header computed from the challenge parameters + your credentials

Transparent handling: You only see the final successful response in the Response Viewer. The intermediate 401 challenge is hidden. Check the Actual Request tab to see the final request with the computed Digest auth header.

Configuration

Select Digest Auth from the Auth type dropdown. Only two fields are needed:

FieldDescription
usernameYour account username (supports {{variables}})
passwordYour account password (supports {{variables}})

All other parameters (nonce, realm, qop, opaque, nc, cnonce) are extracted from the server's 401 challenge automatically.

Supported Algorithms

API Studio supports all standard digest algorithms specified by the server:

MD5

Legacy, widely supported

SHA-256

Modern, recommended

SHA-256-sess

Session-based variant

The algorithm is determined by the server's WWW-Authenticate challenge — you don't need to configure it manually.

Variable Support

Both username and password fields support {{variable}} placeholders.

Example with environment variables:

Username:  {{digest_user}}
Password:  {{digest_pass}}

Important: Variables are interpolated before the digest computation. The resolved plaintext values are used to compute the hash — the {{placeholder}} syntax is never sent over the wire.

Security Note

Auth credentials appear in multiple places:

  • Actual Request tab — shows resolved auth headers with real values
  • Code Export — generated code includes resolved auth values
  • History — saved request headers contain injected auth (scrubbed only if from vault)
  • collections.json — auth config saved in plain text (committed to git)

Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.

Next

Ko-fi