Real-world examples of digest authentication in modern APIs

The best real examples of digest authentication example usage today

Digest authentication is old, but it’s not completely gone. If you want examples of examples of digest authentication example usage that still show up in real systems, you typically find them in three places:

• Legacy internal APIs that never migrated to OAuth or JWT
• Admin or diagnostic endpoints on web servers
• Embedded devices and appliances that prefer simple HTTP-based auth

Instead of treating digest as a museum piece, let’s walk through real examples of how it shows up in 2024–2025, and how to work with it safely.

HTTP request/response flow: a concrete example of digest authentication

The first thing people usually look for is a clear wire-level example. Here’s a realistic example of a digest authentication exchange between a client and an API.

The client starts with an unauthenticated request:

GET /api/devices HTTP/1.1
Host: api.example.com

The server responds with a 401 Unauthorized and a WWW-Authenticate header describing the digest challenge:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest \
  realm="iot-api", \
  qop="auth", \
  nonce="MTczMDI0NjY5MDAwMDp3YWxsZXQ=", \
  opaque="a1b2c3d4e5"

The client then resends the request with an Authorization header built from the username, realm, password, URI, nonce, HTTP method, and a client nonce:

GET /api/devices HTTP/1.1
Host: api.example.com
Authorization: Digest \
  username="admin", \
  realm="iot-api", \
  nonce="MTczMDI0NjY5MDAwMDp3YWxsZXQ=", \
  uri="/api/devices", \
  qop=auth, \
  nc=00000001, \
  cnonce="d79f4c0a9b3e1a0c", \
  response="7b1c1f1f9a3e6c8e1b5a6c2e5f90b1af", \
  opaque="a1b2c3d4e5"

This is the canonical wire-level example of digest authentication: a challenge–response handshake where the password is never sent in clear text, only an MD5-based hash derived from it.

Nginx config: examples of digest authentication example for admin endpoints

One of the most common real examples of digest auth in 2024 is on internal admin paths that are not worth wiring into full SSO. Nginx still supports this via third-party modules like ngx_http_auth_digest_module.

A practical example of digest authentication with Nginx might look like this:

location /admin/ {
    auth_digest "admin-area";
    auth_digest_user_file /etc/nginx/digest_passwd;
}

The digest_passwd file typically stores entries like:

admin:admin-area:5f4dcc3b5aa765d61d8327deb882cf99

That hash is MD5(username:realm:password). This is one of the best examples of digest authentication example usage on a modern stack: simple, file-based, and good enough for low-traffic, internal-only admin tools.

While MD5 is not considered strong by modern cryptographic standards, the pattern is still documented in HTTP specs like RFC 7616 and referenced in security guidance from organizations such as NIST, which now recommends stronger algorithms and TLS for real security.

Apache HTTPD: examples include legacy intranet portals

Another cluster of examples of digest authentication example usage lives in older Apache deployments. Many intranet apps built in the 2000s still use Apache’s mod_auth_digest.

A typical Apache config snippet:

<Location "/intranet">
    AuthType Digest
    AuthName "intranet-realm"
    AuthDigestDomain /intranet
    AuthUserFile /etc/httpd/conf/digest-users
    Require valid-user
</Location>

The password file is generated with htdigest:

htdigest -c /etc/httpd/conf/digest-users intranet-realm alice

This produces the same style of username:realm:md5hash entry. This is one of the best examples of digest authentication example configuration you’ll still encounter on-prem in large organizations that have not fully refactored their intranet stacks.

curl and Postman: client-side examples of digest authentication example testing

You can’t talk about examples of digest authentication example usage without showing how to test it.

With curl, digest auth is almost boringly simple:

curl --digest -u admin:password https://api.example.com/admin/info

Here, --digest tells curl to respond to a digest challenge, and -u provides username and password. This is one of the fastest real examples for verifying a server’s configuration.

Postman offers a more visual example of digest authentication. In the Authorization tab, set type to Digest Auth, then fill in:

• Username and password
• Realm (optional; Postman can infer it from the challenge)
• Nonce, nonce count, client nonce, and algorithm (usually auto-filled)

Hit Preview Request and Postman shows the constructed Authorization: Digest ... header. For teams debugging an API migration away from digest to bearer tokens, this is one of the best examples of a debugging workflow: compare the digest header from Postman with what your custom client is generating.

Language SDKs: examples include Python, Node.js, and Java

Many HTTP client libraries still support digest auth because of long-tail demand. Here are a few real examples you can drop into existing projects.

Python requests digest auth example

import requests
from requests.auth import HTTPDigestAuth

url = "https://api.example.com/protected/data"
response = requests.get(url, auth=HTTPDigestAuth("alice", "s3cret"))

print(response.status_code)
print(response.json())

This is a clean example of digest authentication in Python. The library handles nonce, cnonce, and the MD5 calculations behind the scenes.

Node.js with node-fetch and digest-fetch

import fetch from 'node-fetch';
import DigestFetch from 'digest-fetch';

const client = new DigestFetch('alice', 's3cret');

const res = await client.fetch('https://api.example.com/protected/data');
const data = await res.json();
console.log(data);

This shows how modern JavaScript stacks still surface examples of digest authentication example integrations, mostly to talk to older services.

Java with Apache HttpClient

CloseableHttpClient client = HttpClients.custom().build();

CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(
    new AuthScope("api.example.com", 443),
    new UsernamePasswordCredentials("alice", "s3cret")
);

HttpClientContext context = HttpClientContext.create();
context.setCredentialsProvider(credsProvider);

HttpGet request = new HttpGet("https://api.example.com/protected/data");
try (CloseableHttpResponse response = client.execute(request, context)) {
    System.out.println(response.getStatusLine());
}

This Java snippet is a realistic enterprise example of digest authentication, especially in integration middleware that has to talk to older partner APIs.

API gateway and reverse proxy: examples of digest authentication example migration

In 2024–2025, one of the more interesting examples of digest authentication example patterns is not using digest directly in your app at all. Instead, you terminate digest at a reverse proxy or API gateway and translate it to something more modern internally.

For instance, you might have:

• External clients using digest auth to talk to an Nginx or Envoy proxy
• The proxy validating the digest credentials against a user store
• The proxy forwarding the request to your microservices with a short-lived JWT in an Authorization: Bearer header

This hybrid pattern shows up in enterprises where you cannot break old clients but you want modern, token-based identity inside the cluster. It’s a pragmatic example of how digest authentication survives as an edge compatibility layer rather than as a first-class design choice.

Security guidance from organizations like CISA and NIST has pushed many teams toward TLS plus token-based auth instead of digest, but real systems often need transitional patterns like this for years.

Digest vs Basic vs Bearer: real-world comparison examples

If you’re trying to decide whether to keep digest or migrate, it helps to look at real examples of how it compares to other methods.

• With Basic auth, the client sends Authorization: Basic base64(username:password) on every request. Without TLS, that’s basically plain text.
• With Digest auth, the client sends a hash that includes the password, realm, method, URI, nonce, and counters. Passwords are not sent directly, but MD5 is dated.
• With Bearer tokens (like OAuth 2.0 access tokens or JWTs), the client sends a signed token that proves prior authentication. The server validates the token signature and claims.

In modern API security recommendations, including guidance from NIST SP 800-63, digest is rarely presented as a preferred option. Still, many examples of digest authentication example deployments remain in:

• Closed, internal networks with legacy devices
• Environments where upgrading firmware is expensive or risky
• Simple admin panels where the threat model is limited and TLS is enforced

These are not the best options for new projects, but they are honest, real examples of how digest persists.

2024–2025 trends: where digest authentication still appears

If you scan modern API ecosystems, examples include:

• Industrial and IoT gear: PLCs, cameras, and sensors that ship with HTTP interfaces using digest auth. Vendors typically prioritize stability over constant protocol churn.
• Legacy enterprise APIs: SOAP or XML-RPC services that were never rewritten and still use Apache or IIS with digest enabled.
• On-prem monitoring tools: Older versions of monitoring dashboards and SNMP-over-HTTP bridges that rely on digest for quick protection.

The trend line is clear: new public APIs almost never adopt digest; they go straight to OAuth 2.0, OpenID Connect, or signed requests. But if you work in infrastructure, you will keep encountering examples of examples of digest authentication example setups for at least the rest of this decade.

The smart move in 2024–2025 is to:

• Wrap digest behind TLS at all times
• Limit digest to low-privilege, low-impact endpoints
• Plan migrations to token-based schemes for anything that matters

Security tips illustrated with real examples

Because MD5 is considered weak, digest’s security story depends heavily on context. Consider these real examples:

• An internal status page for a development cluster, protected by digest over HTTPS, with random, long passwords. Risk is relatively low.
• A public-facing API that controls financial transactions, using digest over HTTP without TLS. This is a terrible example of digest authentication usage; traffic can be intercepted and replayed.
• An IoT camera exposed to the internet with default digest credentials like admin:admin. This is the sort of setup that ends up in botnets and shows why default passwords are a bad idea. Security orgs and researchers, including teams referenced by US-CERT, have repeatedly warned about these patterns.

If you’re forced to keep digest around, use these examples of good practice:

• Always pair digest with HTTPS
• Rotate passwords regularly
• Restrict IP ranges where possible
• Log failed attempts and watch for brute-force patterns

FAQ: common questions and examples

What are some real examples of digest authentication in production systems?

Realistic examples of digest authentication today include older Apache-based intranet portals, Nginx-protected admin areas, IoT device dashboards, and legacy SOAP APIs that have not been migrated to OAuth. These are often wrapped in TLS and sometimes hidden behind VPNs or corporate networks.

Can you give an example of migrating from digest to bearer tokens?

A practical example of migration is adding an API gateway that accepts digest from old clients, validates it against your user store, then issues a short-lived JWT. New clients talk directly with bearer tokens, while old ones continue using digest until they’re upgraded.

Are there best examples of when digest auth is still acceptable?

The best examples are narrow: internal tools, low-risk admin interfaces, and constrained environments where you control both client and server and already enforce HTTPS. Anything touching money, health data, or regulated information should move toward stronger, modern methods aligned with guidance from bodies like NIST and, for health data, frameworks referenced by organizations such as HHS.gov.

Is digest authentication considered secure in 2025?

Digest is better than Basic over plain HTTP, but it’s not aligned with modern best practices. MD5 is outdated, and the protocol lacks many features that token-based systems provide. When you see examples of digest authentication example deployments in 2025, they are usually legacy or transitional rather than forward-looking designs.

In short, digest authentication lives on in the margins: legacy APIs, embedded devices, and admin panels. Understanding these examples of examples of digest authentication example setups helps you keep them running safely today while you plan a more modern future for your APIs.