Authenticate with Digest access authentication in Postman

With Digest auth, the client sends a first request to the API, and the server responds back with details. Response details include a number that can be used only once (a nonce), a realm value, and a 401 Unauthorized response. You then send back an encrypted array of data, including a username and password combined with the data received from the server in the first request. The server uses the passed data to generate an encrypted string and compares it against what you sent to authenticate your request.

In the Authorization tab for a request, select Digest Auth from the Auth Type dropdown list. Postman displays fields for both stages of the authentication request. It automatically updates the fields for the second request in the Advanced configuration section using data returned from the server by the first request. To enable Postman to automate the flow, enter Username and Password values (or variables) and these are sent with the second request.

If you don't want Postman to automatically extract the data, select Yes, disable retrying the request. If you select this, you'll need to complete the advanced fields and run each request manually.

Setting the fields in the Advanced configuration section is optional. Postman generates default values in these fields automatically when your first request runs.

  • Realm - A string specified by the server in the WWW-Authenticate response header.
  • Nonce - A unique string specified by the server in the WWW-Authenticate response header.
  • Algorithm - A string that indicates a pair of algorithms used to produce the digest and a checksum. Postman supports MD5 and SHA algorithms.
  • qop - The quality of protection applied to the message. The value must be one of the options specified by the server in the WWW-Authenticate response header.
  • Nonce Count - The hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request.
  • Client Nonce - An opaque quoted string value provided by the client. This is used by both client and server to avoid chosen plaintext attacks, to provide mutual authentication, and to provide some message integrity protection.
  • Opaque - A string of data specified by the server in the WWW-Authenticate response header, which is used unchanged with URIs in the same protection space.

Last modified: 2024/07/24

Additional resources

Videos

Intro to Postman | Authorize a Request
How to Use JWT Authorization
Set Up Authorization for Your Public Apis

Blog posts

Announcing easier API authentication in Postman
OAuth 2.0 just got easier: introducing token refresh and ID token support
New custom parameters for OAuth 2.0 token generation in Postman

Case Studies

Intuit uses Postman's authentication protocols
Postmanaut dancing. Illustration.