What Is an Authentication Header? Everything You Need to Know

Updated on Jul 9, 2026 by Amy Clark

Authentication header is a term that can refer to two different technologies, which often causes confusion. In networking, it usually refers to the Authentication Header (AH) protocol in IPsec. In web applications, people sometimes use the term to refer to the HTTP authorization header. 

Understanding the difference between these terms is important because they serve different purposes. In this guide, we’ll explain what an Authentication Header (AH) protocol is, how it works, and how it differs from the HTTP authorization header.

The Authentication Header (AH) Explained

An Authentication Header (AH) is one of the protocols in the Internet Protocol Security (IPsec) suite. The IPsec suite helps protect IP network communications by providing services such as authentication, integrity checking, and encryption. It’s commonly used to help secure network traffic, including many virtual private network (VPN) connections. 

The Authentication Header adds a security header to IP packets and supports both IPv4 and IPv6 networks. The AH contains information that allows the receiving device to confirm packet data came from the expected sender and wasn’t modified during transit.

Authentication Header vs. HTTP Authorization Header

The Hypertext Transfer Protocol (HTTP) Authorization header carries authentication credentials, such as a username and password, which clients can send with an HTTP request. Unlike AH, it doesn’t verify packet integrity. Instead, it helps a server verify the identity of the user or application making the request.

The table below summarizes the main differences between these technologies:

Authentication HeaderHTTP Authorization Header
Part of the IPsec protocol suitePart of the HTTP protocol
Verifies packet authenticity and integrityCarries credentials in HTTP requests
Operates at the network layerOperates at the application layer
Used in IPsec communicationsUsed by websites, APIs, and web applications

How Do Authentication Headers Work?

When a device sends an IP packet with an Authentication Header, it adds additional authentication information before transmission. 

Flow diagram showing how an Authentication Header is added to an IP packet before transmission.

This information helps the receiving device:

  • Identify which IPsec security settings apply to the packet.
  • Detect duplicate packets that could indicate a replay attack.
  • Verify that there were no modifications to the packet during transit.

When the packet reaches its destination, the receiving device calculates its own integrity check value (ICV) and compares it with the ICV included in the Authentication Header. If the values match, the device continues to process the packet normally. If they don’t, the receiving device discards the packet.

What’s Included in an Authentication Header?

The AH contains several fields that help receiving devices validate incoming packets. Here’s a summary of the most important ones:

FieldPurpose
Next headerIndicates which protocol the receiving device should process after reading the Authentication Header, such as TCP or UDP.
Security parameters index (SPI)Identifies which IPsec security settings the receiving device should use to process the packet.
Sequence numberAssigns each packet a unique number so the receiving device can detect if an attacker has captured and resent an old packet in a replay attack.
Authentication data (ICV)Contains a cryptographic value that the receiving device compares with its own calculation to detect whether there were any modifications to the packet data.

How Authentication Headers Are Used

Authentication Headers support two modes of operation. In each mode, the sending device handles the packet differently:

  1. Transport mode: Adds the Authentication Header to the original IP packet. This mode is typically used when two devices communicate directly.
  2. Tunnel mode: Places the original IP packet inside a new IP packet. This process, known as encapsulation, helps protect the original packet while it travels between devices.

Although authentication headers remain part of the IPsec protocol suite, most modern IPsec deployments use encapsulating security payload (ESP) because it provides authentication, integrity protection, and optional encryption in a single protocol. 

In some situations, you can use Authentication Headers when packet authenticity and integrity need verification without encrypting the packet contents. That said, network administrators might use them alongside ESP when security requirements need additional authentication of IP header information, although this is less common today.

Authentication Header Limitations

One of the biggest limitations of Authentication Headers is that they aren’t fully compatible with Network Address Translation (NAT)

NAT changes parts of an IP packet as it passes through a network, which can cause the AH integrity check to fail, even if the packet hasn’t been maliciously altered. As a result, the receiving device may discard the packet.

FAQ

What is an authentication header?

An authentication header is information added to network traffic or web requests to help verify identity. In networking, it usually refers to the IPsec Authentication Header (AH). In web applications, it can also refer to the HTTP Authorization header, which carries authentication credentials.

What is an HTTP Authorization header?

The HTTP Authorization header carries credentials, such as a username and password, that a server uses to authenticate a user or application making an HTTP request. 

What is an IPSec Authentication Header?

An IPsec Authentication Header (AH) is one of the security protocols in the IPsec suite. Its purpose is to help verify that IP packet data is authentic and hasn’t changed while traveling across a network.

How does a VPN use authentication headers for security?

Most modern IPsec VPNs use encapsulating security payload (ESP) instead of Authentication Headers (AH) because ESP provides optional encryption. IPsec still supports AH and network administrators may use it alongside ESP or in specific deployments where packet authenticity and integrity don’t need encryption.

Is an authentication header required while using a VPN?

No. Most IPsec VPNs use ESP, which provides authentication, integrity protection, and optional encryption. Authentication Headers (AH) remain part of IPsec but aren’t required for VPN connections.