HTTP server authentication protects a URL before the application returns the requested resource. In JMeter, the HTTP Authorization Manager supplies username and password credentials to matching HTTP Request samplers, so protected requests can authenticate without repeating the same credential fields inside every sampler.
The manager is for HTTP authentication challenges, such as Basic or Digest authentication, where a browser would normally show a username and password dialog. It is not the right element for HTML form logins, session cookies, bearer tokens, or API keys sent in custom headers.
Place the manager at the narrowest tree scope that should receive the credentials, and make the Base URL match only the protected path that needs them. JMeter saves Authorization Manager table entries, including passwords, in the .jmx file, so shared plans should use variables, disposable test accounts, or CI secret injection instead of live credentials.
Select the Thread Group when several child samplers use the same server-auth credentials. Select a controller or one sampler when only that branch should authenticate.
Base URL: https://api.example.net/private/
Username: ${auth_user}
Password: ${auth_password}
Domain:
Realm:
Mechanism: BASIC
Use BASIC for Basic authentication and DIGEST for Digest authentication when the selected HTTP sampler implementation supports it. Leave Domain and Realm blank for ordinary Basic authentication unless the target server requires those values.
JMeter checks authorization rows in order and stops at the first matching URL. A row for https://api.example.net/private/admin/ should appear above a row for https://api.example.net/private/ when the two areas need different credentials.
A control sampler that intentionally receives 401 Unauthorized proves the endpoint is protected instead of accidentally open.
auth-manager-demo.jmx
$ jmeter -n -t auth-manager-demo.jmx -l auth-manager-results.jtl -j jmeter.log Creating summariser <summary> Created the tree successfully using auth-manager-demo.jmx Starting standalone test @ 2026 Jun 30 00:11:36 GMT Waiting for possible Shutdown/StopTestNow/HeapDump/ThreadDump message on port 4445 summary = 2 in 00:00:00 = 14.3/s Avg: 29 Min: 25 Max: 33 Err: 1 (50.00%) Tidying up ... ... end of run
The single error is expected only when the plan includes a no-credentials control sampler that should be rejected with 401 Unauthorized.
Related: How to run a JMeter test from the command line
$ cat auth-manager-results.jtl timeStamp,elapsed,label,responseCode,responseMessage,threadName,dataType,success,failureMessage,bytes,sentBytes,grpThreads,allThreads,URL,Latency,IdleTime,Connect 1782778296346,25,Protected API without credentials,401,Unauthorized,Authorization smoke users 1-1,,false,,160,143,1,1,https://api.example.net/private/status,23,0,15 1782778296373,33,Protected API with Authorization Manager,200,OK,Authorization smoke users 1-1,text,true,,129,200,1,1,https://api.example.net/private/data,22,0,12
$ cat auth-server.log GET /private/status Authorization: <none> -> 401 GET /private/data Authorization: Basic <redacted> -> 200
The passing request should show an Authorization header and an authorized response. The control request should show no Authorization header and an unauthorized response.
Leaving the control sampler enabled keeps intentional 401 samples in the result file and error percentage.