WWW-Authenticate Response Header Field

The resource server must include the HTTP "WWW-Authenticate" response header field, if the protected resource request contains an access token that is invalid or if the access token is malformed.

"WWW-Authenticate" header field uses the following format −

challenge               =   "OAuth" RWS token-challenge
token-challenge         =   realm
                            [CS error]
                            [CS error-uri]
                            [CS scope]
                            [CS 1#auth –param]
error                   =   "error"  "=" <"> token <">
error-desc              =   "error_description" "=" quoted-string
error-uri               =   "error_uri" = <"> URI-Reference <">
scope                   =   quoted-value / <"> quoted-value *(1*SP quoted-value) <">
    quoted-value        =   1* quoted-char


  • realm − It is an attribute which specifies the scope of protection and is displayed to the users so that they know which username and password to use. This attribute must appear only once.

  • error − It is an attribute used to provide a client the specific reason why the access request was declined.

  • error_description − It is an attribute that provides a human-readable text that can be used to help in understanding the error that occurred.

  • error_uri − It is an attribute that provides a URI to identify a human-readable web page along with the information about the error that has occurred.

  • scope − It is an attribute which specifies the required scope of the access token in order to access the requested resource.