Authenticate with Digest access authentication in Postman

With Digest auth, the client sends a first request to the API, and the server responds with a few details, including a number that can be used only once (a nonce), a realm value, and a 401 unauthorized response. You then send back an encrypted array of data including a username and password combined with the data received from the server in the first request. The server uses the passed data to generate an encrypted string and compares it against what you sent to authenticate your request.

In the Authorization tab for a request, select Digest Auth from the Type dropdown list. Postman will present fields for both stages of authentication request. It will autocomplete the fields for the second request in the Advanced section using data returned from the server by the first request. To enable Postman to automate the flow, enter Username and Password values (or variables) and these will be sent with the second request.

If you don't want Postman to automatically extract the data, select Yes, disable retrying the request in the left column. If you do this, you will need to complete the advanced fields and run each request manually.

Setting the fields in the Advanced section is optional. Postman will populate them automatically when your first request runs.

  • Realm - A string specified by the server in the WWW-Authenticate response header.
  • Nonce - A unique string specified by the server in the WWW-Authenticate response header.
  • Algorithm - A string that indicates a pair of algorithms used to produce the digest and a checksum. Postman supports MD5 and SHA algorithms.
  • qop - The quality of protection applied to the message. The value must be one of the options specified by the server in the WWW-Authenticate response header.
  • Nonce Count - The hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request.
  • Client Nonce - An opaque quoted string value provided by the client, used by both client and server to avoid chosen plaintext attacks, to provide mutual authentication, and to provide some message integrity protection.
  • Opaque - A string of data specified by the server in the WWW-Authenticate response header, which will be used unchanged with URIs in the same protection space.

Last modified: 2023/05/26

Additional resources

Videos

Intro to Postman | Authorize a Request
How to Use JWT Authorization
Set Up Authorization for Your Public Apis

Blog posts

Announcing easier API authentication in Postman
OAuth 2.0 just got easier: introducing token refresh and ID token support
New custom parameters for OAuth 2.0 token generation in Postman

Case Studies

Intuit uses Postman's authentication protocols
Postmanaut dancing. Illustration.