How do I pass authorization header using cURL? ( executable in /usr/bin/curl
).
14 Answers
http://curl.se/docs/httpscripting.html
See part 6. HTTP Authentication
HTTP Authentication
HTTP Authentication is the ability to tell the server your username and password so that it can verify that you're allowed to do the request you're doing. The Basic authentication used in HTTP (which is the type curl uses by default) is plain text based, which means it sends username and password only slightly obfuscated, but still fully readable by anyone that sniffs on the network between you and the remote server.
To tell curl to use a user and password for authentication:
curl --user name:password http://www.example.com
The site might require a different authentication method (check the headers returned by the server), and then --ntlm, --digest, --negotiate or even --anyauth might be options that suit you.
Sometimes your HTTP access is only available through the use of a HTTP proxy. This seems to be especially common at various companies. A HTTP proxy may require its own user and password to allow the client to get through to the Internet. To specify those with curl, run something like:
curl --proxy-user proxyuser:proxypassword curl.haxx.se
If your proxy requires the authentication to be done using the NTLM method, use --proxy-ntlm, if it requires Digest use --proxy-digest.
If you use any one these user+password options but leave out the password part, curl will prompt for the password interactively.
Do note that when a program is run, its parameters might be possible to see when listing the running processes of the system. Thus, other users may be able to watch your passwords if you pass them as plain command line options. There are ways to circumvent this.
It is worth noting that while this is how HTTP Authentication works, very many web sites will not use this concept when they provide logins etc. See the Web Login chapter further below for more details on that.
Just adding so you don't have to click-through:
curl --user name:password http://www.example.com
or if you're trying to do send authentication for OAuth 2:
curl -H "Authorization: OAuth <ACCESS_TOKEN>" http://www.example.com
-
24Many API now use header authorization tokens. The
-H
option is great.– eliocsCommented Nov 23, 2012 at 17:45 -
32If you use -u or --user, Curl will Encode the credentials into Base64 and produce a header like this:
-H Authorization: Basic <Base64EncodedCredentials>
Commented Dec 22, 2016 at 19:20 -
7Additionally, if you need the
<Base64EncodedCredentials>
as mentioned by @timothy-kansaki, you can get the encoded credential using the command:cred="$( echo $NAME:$PASSWORD | base64 )"; curl -H "Authorization: Basic $cred" https://example.com
. For reference, see stackoverflow.com/questions/16918602/… Commented Dec 16, 2019 at 21:03 -
5@DavidGolembiowski by default echo will throw in a newline, at least on macs. As mentioned in your link, you'll want
echo -n
to prevent the newline from being included– braridenCommented Jul 21, 2020 at 17:05 -
1
Bearer tokens look like this:
curl -H "Authorization: Bearer <ACCESS_TOKEN>" http://www.example.com
-
8And if you're looking to do 'Basic' authorisation, just swap 'Bearer' for 'Basic' Commented Nov 20, 2014 at 13:56
-
I've got the strangest thing, I'm getting a "Wrong format of Authorization header" and "HTTP-200". So the server accepts my authorization, but the format is wrong?– GroostavCommented Mar 26, 2020 at 20:36
This worked for me:
curl -H "Authorization: Bearer xxxxxxxxxxxxxx" https://www.example.com/
-
-
1
-
2
-
8I was almost sure that it's case-insensitive, but it seems I'm wrong. Yes I meant
Bearer
.– jlhCommented Mar 4, 2020 at 9:14
(for those who are looking for php-curl answer)
$service_url = 'https://example.com/something/something.json';
$curl = curl_init($service_url);
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($curl, CURLOPT_USERPWD, "username:password"); //Your credentials goes here
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $curl_post_data);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); //IMP if the url has https and you don't want to verify source certificate
$curl_response = curl_exec($curl);
$response = json_decode($curl_response);
curl_close($curl);
var_dump($response);
For HTTP Basic Auth:
curl -H "Authorization: Basic <_your_token_>" http://www.example.com
replace _your_token_
and the URL.
-
When using oauth where would the Authorization token come from? I am trying to use curl to download files from a site where I use a user and password but it seems to be failing due to oauth2 in use. Commented Aug 31, 2016 at 8:22
-
@toasteez you have to go through the Oauth2 flow to receive a token. Typically its a two step process and should be detailed in the server's documentation.– DevaroopCommented Sep 8, 2016 at 5:58
-
21good answer. a small helper
echo -ne "<your-user>:<your-pass>" | base64 --wrap 0
will generate the basic auth token.– Mike DCommented Dec 13, 2016 at 20:53 -
4@MikeD
-H "Authorization: Basic <_your_token_>"
does the same effect as--user login:password
. You can check it withcurl -v
– vladkrasCommented Jun 2, 2017 at 3:23 -
2@vladkras my response is a helper for this answer. in my experience, it is better to understand how to create the token instead of relying on curl to generate it.– Mike DCommented Jun 3, 2017 at 0:15
Be careful that when you using:
curl -H "Authorization: token_str" http://www.example.com
token_str
and Authorization
must be separated by white space, otherwise server-side will not get the HTTP_AUTHORIZATION
environment.
-
7Not true, if a white space is required, your HTTP server is broken. Also you need two strings a type and then the token. Commented Jul 21, 2017 at 4:07
As of curl
7.61.0 you can use the --oauth2-bearer <token>
option to set the correct Bearer authorization headers.
This example includes the following:
- POST request
- Header Content-Type
- Header Authorization
- Data flag with JSON data
- Base64 encoded token
- Ref-1: curl authorization header
- Ref-2: curl POST request
curl -X POST -H "Content-Type: application/json" -d '{"name”:”Johnny B. Goode”, "email”:”[email protected]"}' -H "Authorization: Bearer $(echo -n Guitar Maestro | base64)" https://url-address.com
If you don't have the token at the time of the call is made, You will have to make two calls, one to get the token and the other to extract the token form the response, pay attention to
grep token | cut -d, -f1 | cut -d\" -f4
as it is the part which is dealing with extracting the token from the response.
echo "Getting token response and extracting token"
def token = sh (returnStdout: true, script: """
curl -S -i -k -X POST https://www.example.com/getToken -H \"Content-Type: application/json\" -H \"Accept: application/json\" -d @requestFile.json | grep token | cut -d, -f1 | cut -d\\" -f4
""").split()
After extracting the token you can use the token to make subsequent calls as follows.
echo "Token : ${token[-1]}"
echo "Making calls using token..."
curl -S -i -k -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer ${token[-1]}" https://www.example.com/api/resources
FWIW, on Mac OS I've found that I need to surround the target url with quotes when it contains query parameters, e.g.,
curl -H "Authorization: Token xxxxxxxxxxxxxx" "https://www.example.com/?param=myparam"
-
what tool i can use to get base64 string, can I just use any online tool ? like
https://www.base64encode.org/
? Commented Jul 21, 2023 at 13:44
The below worked for me
curl -H "Authorization: Token xxxxxxxxxxxxxx" https://www.example.com/
For those doing Token-Based authentication ... make sure you do :
curl -H "AuthToken: "
instead !!
A simple example is using parameters with authorization converted to base64
curl -XPOST 'http://exemplo.com/webhooks?Authorization=Basic%20dGVzdDoxMjM0NTYK'