HTTP Basic Auth Header Generator

Generate or decode HTTP Basic Authentication headers. Get the Authorization header, cURL command, and ready-to-use code snippets.

Authorization Header 

            


            

              

                cURL Command
                
              

              

            

          


          
          

          
          

          
          

            Enter a username and password to generate the Authorization header.
          

        


        
        

        
        

          
How to Use the Basic Auth Header Generator

          
    
            
  1. Generate mode: Enter your username and password. The Authorization header, cURL command, and encoded value are generated instantly.
    2. 
            
  2. Decode mode: Paste a Basic dXNlcjpwYXNz header value to extract the original username and password.
    3. 
            
  3. Code Snippets mode: Get ready-to-use code for JavaScript fetch, Python requests, and cURL in both forms.
    4. 
            
  4. Show/hide password: Use the eye icon to reveal or mask the password field while typing.
    5. 
            
  5. Copy buttons: Each output block has its own Copy button for quick clipboard access.
    6. 
          


          
What is HTTP Basic Authentication?

          
HTTP Basic Authentication is the simplest and oldest authentication mechanism defined in the HTTP specification (RFC 7617). When a server requires Basic Auth, it sends a WWW-Authenticate: Basic realm="..." response header. The client then encodes the username and password as username:password, Base64-encodes the result, and sends it in the Authorization: Basic <token> request header on every subsequent request.


          
Basic Auth is still in widespread use today, particularly for:

          
    
            
  • Internal APIs and microservices within trusted networks
    • 
            
  • CI/CD pipelines authenticating to artifact registries (npm, Maven, Docker Hub)
    • 
            
  • Legacy SOAP and REST APIs from the pre-OAuth era
    • 
            
  • HTTP proxy authentication (Proxy-Authorization header)
    • 
            
  • Static site access control (Netlify, Cloudflare Pages password protection)
    • 
          


          
How the Header is Constructed

          
The algorithm is deliberately simple:

          
    
            
  1. Concatenate username, a colon, and password: username:password
    2. 
            
  2. Base64-encode the result using the standard alphabet (RFC 4648)
    3. 
            
  3. Prefix with Basic  (note the space): Basic dXNlcjpwYXNz
    4. 
            
  4. Set this as the value of the Authorization HTTP request header
    5. 
          

          
In JavaScript this is simply btoa(username + ':' + password). In Python, base64.b64encode(f"{user}:{pwd}".encode()).decode().


          
Security Considerations

          
Base64 is an encoding scheme, not an encryption scheme. Anyone who intercepts a Basic Auth header can decode the credentials in seconds. This means Basic Auth is only safe when used exclusively over HTTPS/TLS. Never use Basic Auth over plain HTTP in production — the credentials will be visible to any network observer. For public-facing APIs with external users, prefer Bearer tokens (JWT), API keys, or OAuth 2.0. For machine-to-machine authentication inside a private network over TLS, Basic Auth is a pragmatic and simple choice.


          
Colons in Passwords

          
The HTTP spec states that only the first colon in the decoded string separates the username from the password. This means usernames cannot contain colons, but passwords can. A password like p:a:s:s with username user encodes to user:p:a:s:s, and when decoded the username is everything before the first colon and the password is everything after it.


          
Unicode and Non-ASCII Characters

          
The original HTTP Basic Auth spec (RFC 2617) assumed ASCII-only credentials. RFC 7617 (2015) updated the spec to support UTF-8 encoded credentials, but not all servers implement this. If you use non-ASCII characters (accented letters, CJK characters, emoji) in credentials, use the charset=UTF-8 parameter and verify your server supports it. JavaScript's btoa() throws for non-ASCII characters — you need to encode to UTF-8 bytes first using encodeURIComponent and unescape.


          
Using Basic Auth with cURL

          
cURL offers two ways to send Basic Auth. The -u username:password flag lets cURL handle the encoding automatically. Alternatively, you can construct the header manually with -H "Authorization: Basic <token>". The -u form is more readable; the -H form is useful when you already have the encoded token and want to avoid exposing the raw credentials in shell history. Both approaches are shown in the Code Snippets tab above.


          
Comparing Auth Schemes

          
Basic Auth versus alternatives:

          
    
            
  • Basic Auth — credentials on every request, stateless, simple, requires HTTPS, no expiry
    • 
            
  • Bearer Token / JWT — signed token, can encode claims and expiry, no credential exposure after login
    • 
            
  • API Key — single opaque string, usually in header or query param, easy to rotate
    • 
            
  • OAuth 2.0 — delegation, scopes, refresh tokens, complex but powerful for third-party access
    • 
            
  • Digest Auth — like Basic but sends a hash instead of raw credentials; mostly obsolete
    • 
          

          
For developer tooling, automation scripts, and internal services, Basic Auth remains the lowest-friction option when HTTPS is enforced. Combine it with our JWT Decoder if you need to work with both schemes on the same project.

        


        
        

          
Frequently Asked Questions


          

            
            
HTTP Basic Authentication is a simple authentication scheme built into the HTTP protocol. The client sends credentials (username and password) encoded in Base64 in the Authorization request header. The header looks like: Authorization: Basic dXNlcjpwYXNz. Because the credentials are only Base64-encoded (not encrypted), Basic Auth should always be used over HTTPS.

          


          

            
            
Basic Auth is only as secure as the transport layer. The credentials are Base64-encoded, which is trivially reversible — it is NOT encryption. Always use Basic Auth exclusively over HTTPS/TLS. For modern APIs, consider token-based schemes like Bearer tokens or OAuth 2.0 instead. Basic Auth is still widely used for internal APIs, CI/CD pipelines, and legacy system integrations where HTTPS is enforced.

          


          

            
            
Join the username and password with a colon (username:password), then Base64-encode the result. For example, user:pass becomes dXNlcjpwYXNz. The final header is: Authorization: Basic dXNlcjpwYXNz. In JavaScript this is btoa(username + ':' + password).

          


          

            
            
No. This tool runs 100% in your browser using JavaScript. Your username and password are never sent to any server. The Base64 encoding and decoding happens entirely client-side. There is no logging, no analytics on input values, and no server-side processing of any kind.

          


          

            
            
Yes. cURL supports Basic Auth with the -u flag: curl -u username:password https://api.example.com. Alternatively, pass the header manually: curl -H "Authorization: Basic dXNlcjpwYXNz" https://api.example.com. This tool generates both forms in the Code Snippets tab.