Using HTTP DIGEST authentication with WordPress’ wp_remote_get()

HTTP BASIC authentication (Wikipedia) is a form of client / server authentication where the username and password are base64 encoded in the request header. However, because these credentials can be easily decoded, BASIC authentication requires SSL for the request to be secured.

HTTP DIGEST authentication (Wikipedia) permits more secure communication between the client and server over insecure HTTP. It’s also a fair bit more challenging to implement, for a couple of reasons:

  1. Every API call actually requires two HTTP requests. Although the first request will fail with 401 Unauthorized, it returns a www-authenticate response header with values critical for signing the second request.
  2. Sending the second request requires creating a signature with several variables where the order matters. Because of the number of variables (pun intended), debugging authentication failures can be very frustrating.

To make HTTP DIGEST authentication requests easier in WordPress, here’s a function you can use:

Join the Conversation


    1. Hm, great question. I think that’s whatever query arguments you’re passing in the initial request. This code snippet was prepared from some existing production code, but I don’t recall the exact details at this point.

Leave a comment

Your email address will not be published. Required fields are marked *