What are the valid characters in http Authorization header

RFC 2616, 14.8 Authorization:

Authorization = "Authorization" ":" credentials

RFC 2616, 11 Access Authentication:

This specification adopts the definitions of [..] "credentials" from [RFC 2617].

RFC 2617, 1.2 1.2 Access Authentication Framework:

credentials    = auth-scheme #auth-param
auth-scheme    = token
auth-param     = token "=" ( token | quoted-string )

RFC 2617, 2 Basic Authentication Scheme

For Basic, the framework above is utilized as follows:

 credentials = "Basic" basic-credentials

So after the fixed Authorization: part, you can use:

  • token, followed by an optional "=" (token | quoted-string) (see page 16 of RFC 2616) when using Digest or any other unspecified authentication scheme, or
  • "Basic" basic-credentials when using Basic authentication, where basic-credentials are base64-encoded according to RFC 2045.

I guess though that you're actually trying to ask a different question. Do you have any trouble regarding implementing a specific authorization mechanism? In what language are you trying to implement that, what code do you currently have and what is the problem?


Don't worry about the soon-to-be-obsoleted specs and look here: http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html##challenge.and.response


Valid characters in an Authorization token

The specifications are really hard to read, but as I understand them a token can contain any of the following ASCII characters:

Char Dec Col/Row Oct Hex  Name and Description
(!)   33  02/01   41  21                 EXCLAMATION MARK
(#)   35  02/03   43  23                 NUMBER SIGN
($)   36  02/04   44  24                 DOLLAR SIGN
(%)   37  02/05   45  25                 PERCENT SIGN
(&)   38  02/06   46  26                 AMPERSAND
(')   39  02/07   47  27                 APOSTROPHE
(*)   42  02/10   52  2A                 ASTERISK
(+)   43  02/11   53  2B                 PLUS SIGN
(-)   45  02/13   55  2D                 HYPHEN, MINUS SIGN
(.)   46  02/14   56  2E                 PERIOD, FULL STOP
(0)   48  03/00   60  30                 DIGIT ZERO
(1)   49  03/01   61  31                 DIGIT ONE
(2)   50  03/02   62  32                 DIGIT TWO
(3)   51  03/03   63  33                 DIGIT THREE
(4)   52  03/04   64  34                 DIGIT FOUR
(5)   53  03/05   65  35                 DIGIT FIVE
(6)   54  03/06   66  36                 DIGIT SIX
(7)   55  03/07   67  37                 DIGIT SEVEN
(8)   56  03/08   70  38                 DIGIT EIGHT
(9)   57  03/09   71  39                 DIGIT NINE
(A)   65  04/01  101  41                 CAPITAL LETTER A
(B)   66  04/02  102  42                 CAPITAL LETTER B
(C)   67  04/03  103  43                 CAPITAL LETTER C
(D)   68  04/04  104  44                 CAPITAL LETTER D
(E)   69  04/05  105  45                 CAPITAL LETTER E
(F)   70  04/06  106  46                 CAPITAL LETTER F
(G)   71  04/07  107  47                 CAPITAL LETTER G
(H)   72  04/08  110  48                 CAPITAL LETTER H
(I)   73  04/09  111  49                 CAPITAL LETTER I
(J)   74  04/10  112  4A                 CAPITAL LETTER J
(K)   75  04/11  113  4B                 CAPITAL LETTER K
(L)   76  04/12  114  4C                 CAPITAL LETTER L
(M)   77  04/13  115  4D                 CAPITAL LETTER M
(N)   78  04/14  116  4E                 CAPITAL LETTER N
(O)   79  04/15  117  4F                 CAPITAL LETTER O
(P)   80  05/00  120  50                 CAPITAL LETTER P
(Q)   81  05/01  121  51                 CAPITAL LETTER Q
(R)   82  05/02  122  52                 CAPITAL LETTER R
(S)   83  05/03  123  53                 CAPITAL LETTER S
(T)   84  05/04  124  54                 CAPITAL LETTER T
(U)   85  05/05  125  55                 CAPITAL LETTER U
(V)   86  05/06  126  56                 CAPITAL LETTER V
(W)   87  05/07  127  57                 CAPITAL LETTER W
(X)   88  05/08  130  58                 CAPITAL LETTER X
(Y)   89  05/09  131  59                 CAPITAL LETTER Y
(Z)   90  05/10  132  5A                 CAPITAL LETTER Z
(^)   94  05/14  136  5E                 CIRCUMFLEX ACCENT
(_)   95  05/15  137  5F                 LOW LINE, UNDERLINE
(`)   96  06/00  140  60                 GRAVE ACCENT
(a)   97  06/01  141  61                 SMALL LETTER a
(b)   98  06/02  142  62                 SMALL LETTER b
(c)   99  06/03  143  63                 SMALL LETTER c
(d)  100  06/04  144  64                 SMALL LETTER d
(e)  101  06/05  145  65                 SMALL LETTER e
(f)  102  06/06  146  66                 SMALL LETTER f
(g)  103  06/07  147  67                 SMALL LETTER g
(h)  104  06/08  150  68                 SMALL LETTER h
(i)  105  06/09  151  69                 SMALL LETTER i
(j)  106  06/10  152  6A                 SMALL LETTER j
(k)  107  06/11  153  6B                 SMALL LETTER k
(l)  108  06/12  154  6C                 SMALL LETTER l
(m)  109  06/13  155  6D                 SMALL LETTER m
(n)  110  06/14  156  6E                 SMALL LETTER n
(o)  111  06/15  157  6F                 SMALL LETTER o
(p)  112  07/00  160  70                 SMALL LETTER p
(q)  113  07/01  161  71                 SMALL LETTER q
(r)  114  07/02  162  72                 SMALL LETTER r
(s)  115  07/03  163  73                 SMALL LETTER s
(t)  116  07/04  164  74                 SMALL LETTER t
(u)  117  07/05  165  75                 SMALL LETTER u
(v)  118  07/06  166  76                 SMALL LETTER v
(w)  119  07/07  167  77                 SMALL LETTER w
(x)  120  07/08  170  78                 SMALL LETTER x
(y)  121  07/09  171  79                 SMALL LETTER y
(z)  122  07/10  172  7A                 SMALL LETTER z
(|)  124  07/12  174  7C                 VERTICAL LINE, VERTICAL BAR
(~)  126  07/14  176  7E                 TILDE

The following can also be included but they must be in a quoted string:

Char Dec Col/Row Oct Hex  Name and Description
       9  00/09   11  09  HT   (Ctrl-I)  HORIZONTAL TAB
      10  00/10   12  0A  LF   (Ctrl-J)  LINE FEED
      13  00/13   15  0D  CR   (Ctrl-M)  CARRIAGE RETURN
( )   32  02/00   40  20                 SPACE
(")   34  02/02   42  22                 QUOTATION MARK
(()   40  02/08   50  28                 LEFT PARENTHESIS
())   41  02/09   51  29                 RIGHT PARENTHESIS
(,)   44  02/12   54  2C                 COMMA
(/)   47  02/15   57  2F                 SOLIDUS, SLASH
(:)   58  03/10   72  3A                 COLON
(;)   59  03/11   73  3B                 SEMICOLON
(<)   60  03/12   74  3C                 LESS-THAN SIGN, LEFT ANGLE BRACKET
(=)   61  03/13   75  3D                 EQUALS SIGN
(>)   62  03/14   76  3E                 GREATER-THAN SIGN, RIGHT ANGLE BRACKET
(?)   63  03/15   77  3F                 QUESTION MARK
(@)   64  04/00  100  40                 COMMERCIAL AT SIGN
([)   91  05/11  133  5B                 LEFT SQUARE BRACKET
(\)   92  05/12  134  5C                 REVERSE SOLIDUS (BACKSLASH)
(])   93  05/13  135  5D                 RIGHT SQUARE BRACKET
({)  123  07/11  173  7B                 LEFT CURLY BRACKET, LEFT BRACE
(})  125  07/13  175  7D                 RIGHT CURLY BRACKET, RIGHT BRACE

Columns and formatting taken from here.

Specs

Here are the Docs:

Many HTTP/1.1 header field values consist of words separated by LWS [Carriage Return, Line Feed, Space, Horizontal Tab] or special characters. These special characters MUST be in a quoted string to be used within a parameter value (as defined in section 3.6).

   token          = 1*<any CHAR except CTLs or separators>
   separators     = "(" | ")" | "<" | ">" | "@"
                  | "," | ";" | ":" | "\" | <">
                  | "/" | "[" | "]" | "?" | "="
                  | "{" | "}" | SP | HT

Notes

  • Base64 and Base64Url are subsets of the above character set, so if in doubt you can always encode your Authentication header with one of them.
  • Thanks to @CodeCaster for pointing me in the right direction.