The basic authentication for Zuora callouts is compliant with RFC 7235 and RFC 7617.
See the following message sequence for the default flow of Zuora callout basic authentication.
- Zuora sends an HTTP request to the callout receiver with no credentials.
- The callout receiver responds to Zuora with a 401(Unauthorized) response that has a
WWW-Authenticateheader field containing at least one challenge.
- Zuora sends to the callout receiver a second request that has an
Authorizationheader field containing valid credentials.
- The callout receiver responds to Zuora with a 200 response upon validation of credentials.