Overview#WWW-Authenticate is an HTTP Header Field which indicates the authentication scheme(s) and parameters applicable to the target resource.
WWW-Authenticate = 1#challenge
A server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate HTTP Header Field containing at least one challenge. A server MAY generate a WWW-Authenticate HTTP Header Field in other response messages to indicate that supplying credentials (or different credentials) might affect the response.
A proxy forwarding a response MUST NOT modify any WWW-Authenticate fields in that response.
User agents are advised to take special care in parsing the field value, as it might contain more than one challenge, and each challenge can contain a comma-separated list of authentication parameters. Furthermore, the HTTP Header Field itself can occur multiple times.