HTTP server authentication protects a URL before the application returns the requested resource. In JMeter, the HTTP Authorization Manager supplies username and password credentials to matching HTTP Request samplers, so protected requests can authenticate without repeating the same credential fields inside every sampler.

The manager is for HTTP authentication challenges, such as Basic or Digest authentication, where a browser would normally show a username and password dialog. It is not the right element for HTML form logins, session cookies, bearer tokens, or API keys sent in custom headers.

Place the manager at the narrowest tree scope that should receive the credentials, and make the Base URL match only the protected path that needs them. JMeter saves Authorization Manager table entries, including passwords, in the .jmx file, so shared plans should use variables, disposable test accounts, or CI secret injection instead of live credentials.

Steps to configure the JMeter HTTP Authorization Manager:

  1. Open the test plan in the JMeter GUI and select the scope that contains the protected HTTP samplers.

    Select the Thread Group when several child samplers use the same server-auth credentials. Select a controller or one sampler when only that branch should authenticate.

  2. Add the authorization manager from AddConfig ElementHTTP Authorization Manager.
  3. Name the manager for the protected area it authenticates.
  4. Add one authorization row for the protected URL.
    Base URL: https://api.example.net/private/
    Username: ${auth_user}
    Password: ${auth_password}
    Domain:
    Realm:
    Mechanism: BASIC

    Use BASIC for Basic authentication and DIGEST for Digest authentication when the selected HTTP sampler implementation supports it. Leave Domain and Realm blank for ordinary Basic authentication unless the target server requires those values.

  5. Put specific Base URL rows above broader rows in the table.

    JMeter checks authorization rows in order and stops at the first matching URL. A row for https://api.example.net/private/admin/ should appear above a row for https://api.example.net/private/ when the two areas need different credentials.

  6. Keep public, login, token-minting, and no-credentials control samplers outside the authorization-manager scope.

    A control sampler that intentionally receives 401 Unauthorized proves the endpoint is protected instead of accidentally open.

  7. Save the test plan.
    auth-manager-demo.jmx
  8. Run a one-user non-GUI smoke test against the protected endpoint.
    $ jmeter -n -t auth-manager-demo.jmx -l auth-manager-results.jtl -j jmeter.log
    Creating summariser <summary>
    Created the tree successfully using auth-manager-demo.jmx
    Starting standalone test @ 2026 Jun 30 00:11:36 GMT
    Waiting for possible Shutdown/StopTestNow/HeapDump/ThreadDump message on port 4445
    summary =      2 in 00:00:00 =   14.3/s Avg:    29 Min:    25 Max:    33 Err:     1 (50.00%)
    Tidying up ...
    ... end of run

    The single error is expected only when the plan includes a no-credentials control sampler that should be rejected with 401 Unauthorized.
    Related: How to run a JMeter test from the command line

  9. Check the result file for the rejected control request and the authenticated request.
    $ cat auth-manager-results.jtl
    timeStamp,elapsed,label,responseCode,responseMessage,threadName,dataType,success,failureMessage,bytes,sentBytes,grpThreads,allThreads,URL,Latency,IdleTime,Connect
    1782778296346,25,Protected API without credentials,401,Unauthorized,Authorization smoke users 1-1,,false,,160,143,1,1,https://api.example.net/private/status,23,0,15
    1782778296373,33,Protected API with Authorization Manager,200,OK,Authorization smoke users 1-1,text,true,,129,200,1,1,https://api.example.net/private/data,22,0,12
  10. Check the protected endpoint log or request inspector for the received Authorization header.
    $ cat auth-server.log
    GET /private/status Authorization: <none> -> 401
    GET /private/data Authorization: Basic <redacted> -> 200

    The passing request should show an Authorization header and an authorized response. The control request should show no Authorization header and an unauthorized response.

  11. Disable or remove the no-credentials control sampler before the real load test.

    Leaving the control sampler enabled keeps intentional 401 samples in the result file and error percentage.