[[http-clients]] === HTTP/REST clients and security The {es} {security-features} work with standard HTTP https://en.wikipedia.org/wiki/Basic_access_authentication[basic authentication] headers to authenticate users. Since Elasticsearch is stateless, this header must be sent with every request: [source,shell] -------------------------------------------------- Authorization: Basic <1> -------------------------------------------------- <1> The `` is computed as `base64(USERNAME:PASSWORD)` Alternatively, you can use <>. [discrete] [[http-clients-examples]] ==== Client examples This example uses `curl` without basic auth to create an index: [source,shell] ------------------------------------------------------------------------------- curl -XPUT 'localhost:9200/idx' ------------------------------------------------------------------------------- [source,js] ------------------------------------------------------------------------------- { "error": "AuthenticationException[Missing authentication token]", "status": 401 } ------------------------------------------------------------------------------- Since no user is associated with the request above, an authentication error is returned. Now we'll use `curl` with basic auth to create an index as the `rdeniro` user: [source,shell] --------------------------------------------------------- curl --user rdeniro:taxidriver -XPUT 'localhost:9200/idx' --------------------------------------------------------- [source,js] --------------------------------------------------------- { "acknowledged": true } --------------------------------------------------------- [discrete] [[http-clients-secondary-authorization]] ==== Secondary authorization Some APIs support secondary authorization headers for situations where you want tasks to run with a different set of credentials. For example, you can send the following header in addition to the basic authentication header: [source,shell] -------------------------------------------------- es-secondary-authorization: Basic <1> -------------------------------------------------- <1> The `` is computed as `base64(USERNAME:PASSWORD)` The `es-secondary-authorization` header has the same syntax as the `Authorization` header. It therefore also supports the use of <>. For example: [source,shell] -------------------------------------------------- es-secondary-authorization: ApiKey <1> -------------------------------------------------- <1> The `` is computed as `base64(API key ID:API key)` [discrete] [[http-clients-libraries]] ==== Client libraries over HTTP For more information about using {security-features} with the language specific clients, refer to: * {java-rest}/_basic_authentication.html[Java] * {jsclient-current}/auth-reference.html[JavaScript] * https://www.elastic.co/guide/en/elasticsearch/client/net-api/master/configuration-options.html[.NET] * https://metacpan.org/pod/Search::Elasticsearch::Cxn::HTTPTiny#CONFIGURATION[Perl] * https://www.elastic.co/guide/en/elasticsearch/client/php-api/master/security.html[PHP] * https://elasticsearch-py.readthedocs.io/en/master/#ssl-and-authentication[Python] * https://github.com/elasticsearch/elasticsearch-ruby/tree/master/elasticsearch-transport#authentication[Ruby]