Request headers

Attach metadata to your requests — including authentication

⏱ Est. ~6 min

01 · Read

Every HTTP request can carry headers — key-value metadata that travels alongside the request body.

Headers tell the server things like: - Who you are (Authorization) - What format you're sending (Content-Type) - What format you want back (Accept) - Which app is calling (User-Agent)

In curl, you add a header with -H "Key: Value".

💡 Picture thisHeaders are the envelope your request travels in. The body is the letter inside. Some servers read the envelope before they even open the letter — get the envelope wrong, and the letter goes straight to the trash.

Key points

Add headers with -H "Key: Value" — you can use multiple -H flags
Authorization: Bearer TOKEN is the most common authentication pattern
Content-Type: application/json tells the server your body is JSON
Most public APIs need an Authorization header to access private data

02 · Code example

Here's what the most common headers look like in a curl command.

Authorization header

curl https://api.example.com/data \
  -H "Authorization: Bearer my-api-key-here"

Multiple headers

curl https://api.example.com/data \
  -H "Authorization: Bearer my-api-key-here" \
  -H "Accept: application/json" \
  -H "X-Request-ID: abc123"

The \ at the end of each line is a line continuation — it tells the shell the command isn't finished. It's just for readability; you could write everything on one line.

03 · Terminal exercise

First, confirm the /private endpoint blocks you without an authorization header.

(This section is interactive — please enable JavaScript.)

04 · Quiz

What's the flag to add a custom header in curl?

-d
-X
-o
-H

05 · Fill in the blank

To send an API key in a header, use: -H 'Authorization: _____ YOUR_KEY'.

06 · Terminal exercise

Now add an Authorization header. The demo key is student-demo-key.

(This section is interactive — please enable JavaScript.)

07 · Quiz

You send a request with curl to a protected API endpoint and get a 401 status code. What does this mean?

You're not authorized — the server needs an Authorization header
The server is down
The URL doesn't exist
The request body is malformed

08 · Fill in the blank

The standard pattern for sending an API key in a header is: Authorization: _____ YOUR_KEY.

Other lessons in this chapter

⚠ The full interactive experience needs JavaScript. Please enable it and reload.

※ This is an independent Traditional Chinese teaching project — not an official Anthropic product. Claude™ is a trademark of Anthropic, PBC.