In an approach to unattended authentication in HTTP using time-based one-time passwords, a request is received from a client for a Hypertext Transfer Protocol (HTTP) authentication on a server. A challenge is sent to the client, where the challenge includes a header that indicates that a Time-based One-time Password (TOTP) is to be used for the HTTP authentication. A first response is received from the client based on a first TOTP value and a shared secret, wherein the first response is encoded based on an encoding mechanism included in the header. Responsive to validating the first TOTP value and the shared secret from the client, the client is authenticated.