#http #digest #basic


HTTP authentication: parse challenge lists, respond to Basic and Digest challenges. Likely to be extended with server support and additional auth schemes.

10 releases

0.1.9 Dec 28, 2023
0.1.8 Jan 30, 2023
0.1.6 May 2, 2022
0.1.5 Nov 30, 2021
0.1.3 Oct 21, 2021

#35 in Authentication

Download history 25094/week @ 2023-11-02 25164/week @ 2023-11-09 27750/week @ 2023-11-16 25675/week @ 2023-11-23 26607/week @ 2023-11-30 26526/week @ 2023-12-07 24504/week @ 2023-12-14 18771/week @ 2023-12-21 22042/week @ 2023-12-28 26172/week @ 2024-01-04 23905/week @ 2024-01-11 24631/week @ 2024-01-18 25985/week @ 2024-01-25 29944/week @ 2024-02-01 32776/week @ 2024-02-08 28746/week @ 2024-02-15

121,349 downloads per month
Used in 98 crates (5 directly)



crates.io Released API docs CI

Rust library for HTTP authentication. Parses challenge lists, responds to Basic and Digest challenges. Likely to be extended with server support and additional auth schemes.

HTTP authentication is described in the following documents and specifications:

This framework is primarily used with HTTP, as suggested by the name. It is also used by some other protocols such as RTSP.


Well-tested, suitable for production. The API may change to improve ergonomics and functionality. New functionality is likely to be added. PRs welcome!


In order:

  1. sound. Currently no unsafe blocks in http-auth itself. All dependencies are common, trusted crates.
  2. correct. Precisely implements the specifications except where noted. Fuzz tests verify the hand-written parser never panics and matches a nom-based reference implementation.
  3. light-weight. Minimal dependencies; uses Cargo features so callers can avoid them when undesired. Simple code that minimizes monomorphization bloat. Small data structures; eg http_auth::DigestClient currently weighs in at 32 bytes plus one allocation for all string fields.
  4. complete. Implements both parsing and responding to challenges. (Currently only supports the client side and responding to the most common Basic and Digest schemes; future expansion is likely.)
  5. ergonomic. Creating a client for responding to a password challenge is a one-liner from a string header or a http::header::GetAll.
  6. fast enough. HTTP authentication is a small part of a real program, and http-auth's CPU usage should never be noticeable. For Digest's cryptographic operations, it uses popular optimized crates. In other respects, http-auth is likely at least as efficient as other HTTP authentication crates, although I have no reason to believe their performance is problematic.


Scott Lamb <slamb@slamb.org>


SPDX-License-Identifier: MIT OR Apache-2.0

See LICENSE-MIT.txt or LICENSE-APACHE, respectively.


~12K SLoC