What Is an Authentication Header? Everything You Need to Know
Authentication header is a term that can refer to two different technologies, which often causes confusion. In networking, it usually refers to the Authentication Header (AH) protocol in IPsec. In web applications, people sometimes use the term to refer to the HTTP authorization header.
Understanding the difference between these terms is important because they serve different purposes. In this guide, we’ll explain what an Authentication Header (AH) protocol is, how it works, and how it differs from the HTTP authorization header.
Table of Contents
The Authentication Header (AH) ExplainedHow Do Authentication Headers Work?
How Authentication Headers Are Used
Authentication Header Limitations
FAQ
The Authentication Header (AH) Explained
An Authentication Header (AH) is one of the protocols in the Internet Protocol Security (IPsec) suite. The IPsec suite helps protect IP network communications by providing services such as authentication, integrity checking, and encryption. It’s commonly used to help secure network traffic, including many virtual private network (VPN) connections.
The Authentication Header adds a security header to IP packets and supports both IPv4 and IPv6 networks. The AH contains information that allows the receiving device to confirm packet data came from the expected sender and wasn’t modified during transit.
Authentication Header vs. HTTP Authorization Header
The Hypertext Transfer Protocol (HTTP) Authorization header carries authentication credentials, such as a username and password, which clients can send with an HTTP request. Unlike AH, it doesn’t verify packet integrity. Instead, it helps a server verify the identity of the user or application making the request.
The table below summarizes the main differences between these technologies:
| Authentication Header | HTTP Authorization Header |
| Part of the IPsec protocol suite | Part of the HTTP protocol |
| Verifies packet authenticity and integrity | Carries credentials in HTTP requests |
| Operates at the network layer | Operates at the application layer |
| Used in IPsec communications | Used by websites, APIs, and web applications |
How Do Authentication Headers Work?
When a device sends an IP packet with an Authentication Header, it adds additional authentication information before transmission.

This information helps the receiving device:
- Identify which IPsec security settings apply to the packet.
- Detect duplicate packets that could indicate a replay attack.
- Verify that there were no modifications to the packet during transit.
When the packet reaches its destination, the receiving device calculates its own integrity check value (ICV) and compares it with the ICV included in the Authentication Header. If the values match, the device continues to process the packet normally. If they don’t, the receiving device discards the packet.
What’s Included in an Authentication Header?
The AH contains several fields that help receiving devices validate incoming packets. Here’s a summary of the most important ones:
| Field | Purpose |
| Next header | Indicates which protocol the receiving device should process after reading the Authentication Header, such as TCP or UDP. |
| Security parameters index (SPI) | Identifies which IPsec security settings the receiving device should use to process the packet. |
| Sequence number | Assigns each packet a unique number so the receiving device can detect if an attacker has captured and resent an old packet in a replay attack. |
| Authentication data (ICV) | Contains a cryptographic value that the receiving device compares with its own calculation to detect whether there were any modifications to the packet data. |
How Authentication Headers Are Used
Authentication Headers support two modes of operation. In each mode, the sending device handles the packet differently:
- Transport mode: Adds the Authentication Header to the original IP packet. This mode is typically used when two devices communicate directly.
- Tunnel mode: Places the original IP packet inside a new IP packet. This process, known as encapsulation, helps protect the original packet while it travels between devices.
Although authentication headers remain part of the IPsec protocol suite, most modern IPsec deployments use encapsulating security payload (ESP) because it provides authentication, integrity protection, and optional encryption in a single protocol.
In some situations, you can use Authentication Headers when packet authenticity and integrity need verification without encrypting the packet contents. That said, network administrators might use them alongside ESP when security requirements need additional authentication of IP header information, although this is less common today.
Authentication Header Limitations
One of the biggest limitations of Authentication Headers is that they aren’t fully compatible with Network Address Translation (NAT).
NAT changes parts of an IP packet as it passes through a network, which can cause the AH integrity check to fail, even if the packet hasn’t been maliciously altered. As a result, the receiving device may discard the packet.
FAQ
What is an authentication header?
An authentication header is information added to network traffic or web requests to help verify identity. In networking, it usually refers to the IPsec Authentication Header (AH). In web applications, it can also refer to the HTTP Authorization header, which carries authentication credentials.
What is an HTTP Authorization header?
The HTTP Authorization header carries credentials, such as a username and password, that a server uses to authenticate a user or application making an HTTP request.
What is an IPSec Authentication Header?
An IPsec Authentication Header (AH) is one of the security protocols in the IPsec suite. Its purpose is to help verify that IP packet data is authentic and hasn’t changed while traveling across a network.
How does a VPN use authentication headers for security?
Most modern IPsec VPNs use encapsulating security payload (ESP) instead of Authentication Headers (AH) because ESP provides optional encryption. IPsec still supports AH and network administrators may use it alongside ESP or in specific deployments where packet authenticity and integrity don’t need encryption.
Is an authentication header required while using a VPN?
No. Most IPsec VPNs use ESP, which provides authentication, integrity protection, and optional encryption. Authentication Headers (AH) remain part of IPsec but aren’t required for VPN connections.