Basic Auth Generator
Generate HTTP Basic Authentication headers from a username and password. Outputs Base64, full header, curl command, and fetch example.
HTTP Basic Authentication sends a username and password in the Authorization header, encoded as Base64. This tool generates the encoded credentials, the complete header, a curl command, and a JavaScript fetch example - everything needed to make authenticated requests. All encoding happens in your browser using the native btoa function. No credentials leave your device.
About Basic Auth Generator
How Basic Auth Works
Basic Auth is defined in RFC 7617 (published September 2015, replacing the older RFC 2617 from 1999). The process has three steps: combine the username and password with a colon separator, Base64-encode that string, and prefix it with "Basic " in the Authorization header. When a server receives a request for a protected resource without credentials, it responds with HTTP 401 Unauthorized and a WWW-Authenticate: Basic header. The client then retransmits the request with the Authorization header included.
Worked example: Given the username "admin" and password "secret123", the encoding proceeds as follows:
| Step | Input | Output |
|---|---|---|
| 1. Combine | username: admin, password: secret123 | admin:secret123 |
| 2. Base64 encode | admin:secret123 | YWRtaW46c2VjcmV0MTIz |
| 3. Build header | YWRtaW46c2VjcmV0MTIz | Authorization: Basic YWRtaW46c2VjcmV0MTIz |
The server reverses this process: it extracts the Base64 string from the header, decodes it, splits on the first colon, and checks the username and password against its database. Splitting on the first colon is important - RFC 7617 explicitly allows colons in the password portion. A credential string like "admin:pass:word" splits into username "admin" and password "pass:word".
How Does Base64 Encoding Work?
Base64 converts binary data into a 64-character ASCII alphabet (A-Z, a-z, 0-9, +, /). It processes input in groups of 3 bytes (24 bits), splitting each group into four 6-bit values that each map to one of the 64 characters. When the input length is not a multiple of 3, padding characters (=) are added. One trailing byte produces two = signs; two trailing bytes produce one = sign. For example, "admin:secret123" is 15 bytes (a multiple of 3), so the Base64 output "YWRtaW46c2VjcmV0MTIz" has no padding. A shorter input like "a:b" (3 bytes) encodes to "YTpi" with no padding, but "a:bc" (4 bytes) encodes to "YTpiYw==" with two padding characters.
This tool uses the browser's native btoa() function for encoding. One limitation: btoa() only handles Latin-1 (ISO 8859-1) characters. Usernames or passwords containing characters outside this range - such as accented characters, CJK characters, or emoji - will cause a "The string to be encoded contains characters outside of the Latin1 range" error. RFC 7617 addressed this with an optional charset=UTF-8 parameter, but browser support varies. For non-ASCII credentials, a workaround is to UTF-8 encode first using TextEncoder, then convert to a binary string before calling btoa().
What the Tool Generates
| Output | Example | Use |
|---|---|---|
| Raw Base64 value | YWRtaW46c2VjcmV0MTIz | When building headers manually |
| Full Authorization header | Authorization: Basic YWRtaW46c2VjcmV0MTIz | Copy directly into HTTP client |
| curl command | curl -H "Authorization: Basic ..." https://api.example.com | Paste into terminal |
| JavaScript fetch | fetch(url, { headers: { Authorization: "Basic ..." } }) | Copy into frontend or Node.js code |
| Decoded verification | admin:secret123 | Confirm the encoding is correct |
The decoded verification output lets you double-check that the credentials were combined correctly before using the header in production. This is helpful when passwords contain special characters that might be misinterpreted.
Security Considerations
Base64 is encoding, not encryption. Anyone who intercepts the header can decode the credentials instantly. The OWASP Top 10 (2025 edition) lists authentication failures as A07, and specifically flags Basic Auth over plain HTTP as a vulnerability. Basic Auth must always be used over HTTPS.
| Risk | Mitigation |
|---|---|
| Credentials visible in request headers | Always use HTTPS - TLS encrypts the entire request including headers |
| Credentials sent on every request | Use token-based auth (JWT, OAuth) for session management instead |
| No built-in brute-force protection | Implement rate limiting and account lockout on the server |
| No logout mechanism | Browser caches credentials until the tab is closed |
| Credential replay attacks | Use short-lived tokens or mutual TLS for sensitive endpoints |
| Colon in username breaks parsing | RFC 7617 says split on the first colon only - most servers handle this correctly |
| Credentials logged in proxy/server access logs | Configure servers and proxies to redact Authorization headers from logs |
For situations where Basic Auth is too simple, the JWT Decoder tool can help inspect JSON Web Tokens used in more robust Bearer token authentication schemes. JWTs carry claims and can be verified without a database lookup, making them a common upgrade path from Basic Auth.
Basic Auth vs Other Authentication Methods
| Method | Credential Type | Stateless? | Best For |
|---|---|---|---|
| Basic Auth | Username + password (Base64) | Yes | Simple API auth, internal tools, CI/CD |
| Digest Auth | MD5 hash of credentials + nonce | Yes | Legacy systems that cannot use HTTPS |
| Bearer Token | Opaque token or JWT | Yes | API authentication with OAuth or JWT |
| API Key | Single key (header, query, or cookie) | Yes | Third-party API access, rate limiting by key |
| OAuth 2.0 | Access token + refresh token | Depends | User-facing apps, delegated access |
| Session cookie | Server-side session ID | No | Traditional web apps with server-side state |
| mTLS (mutual TLS) | Client certificate | Yes | Machine-to-machine, high-security APIs |
Basic Auth remains common because of its simplicity. There is no handshake, no token exchange, and no state to manage. For internal tools, staging environments, and quick prototypes, that simplicity outweighs the downsides. For production user-facing applications, token-based systems like OAuth 2.0 or JWT are more appropriate because they support scopes, expiration, and revocation.
Where Basic Auth Is Commonly Used
| Service | How Basic Auth Is Used |
|---|---|
| Docker Hub / container registries | docker login sends credentials via Basic Auth over HTTPS |
| npm / package registries | npm publish authenticates with Basic Auth to the registry |
| Elasticsearch / Kibana | Default authentication method for the REST API |
| Jenkins | API token sent as password with username via Basic Auth |
| Artifactory / Nexus | Repository managers use Basic Auth for artifact upload and download |
| Apache / Nginx .htpasswd | Static file serving protected by server-level Basic Auth |
| GitHub API (legacy) | Password-based Basic Auth removed November 2020, now requires personal access tokens or OAuth |
| Webhook endpoints | Simple auth for incoming webhooks from third-party services |
For generating .htpasswd files and configuring Apache or Nginx server-level auth, the .htaccess Generator tool can create rewrite rules and directory protection configs alongside Basic Auth setups.
Basic Auth in Different Languages
| Language/Tool | How to Send Basic Auth |
|---|---|
| curl | curl -u username:password https://api.example.com |
| JavaScript (fetch) | headers: { Authorization: "Basic " + btoa("user:pass") } |
| Python (requests) | requests.get(url, auth=("user", "pass")) |
| Node.js (axios) | axios.get(url, { auth: { username: "user", password: "pass" } }) |
| Go (net/http) | req.SetBasicAuth("user", "pass") |
| PHP (cURL) | curl_setopt($ch, CURLOPT_USERPWD, "user:pass") |
| Ruby (net/http) | req.basic_auth("user", "pass") |
| Java (HttpURLConnection) | conn.setRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString("user:pass".getBytes())) |
Note that curl's -u flag handles the Base64 encoding automatically. The other examples show manual encoding, which is what this tool generates for you. Most HTTP client libraries have built-in helpers for Basic Auth, so you rarely need to construct the header by hand in production code - but understanding the format helps when debugging failed authentication or reading server logs.
Testing and Debugging Basic Auth
When a Basic Auth request fails, the first thing to check is the raw header value. Decode the Base64 string and verify the username:password pair is what you expect. Common HTTP status codes related to Basic Auth:
| Status Code | Meaning | Common Cause |
|---|---|---|
| 401 Unauthorized | Missing or invalid credentials | Wrong username/password, missing Authorization header, or malformed Base64 |
| 403 Forbidden | Valid credentials but insufficient permissions | The user exists but does not have access to the requested resource |
| 407 Proxy Authentication Required | Proxy needs credentials | A forward proxy is intercepting the request and needs its own Proxy-Authorization header |
To debug in curl, add the -v (verbose) flag to see the full request headers: curl -v -u admin:secret123 https://api.example.com. This shows the exact Authorization header being sent. In browser DevTools, check the Network tab and look at the Request Headers section for the Authorization header. If the header is missing, the browser may not have received the 401 challenge or the credentials were rejected on a previous attempt.
A useful debugging technique is to decode the Base64 value from a failing request using the Base64 Encoder/Decoder. Paste the encoded string and verify it decodes to the expected username:password pair. Whitespace or newline characters accidentally included in the credentials are a frequent cause of failed authentication.
Common Mistakes with Basic Auth
A few pitfalls trip up developers regularly when working with Basic Auth headers:
- Forgetting the space after "Basic" - The header value is "Basic YWRtaW46..." not "BasicYWRtaW46...". The space is mandatory per the spec.
- Double-encoding - Some HTTP libraries automatically add the Authorization header when given credentials. Manually adding a Base64-encoded header on top results in double-encoded credentials that the server cannot parse.
- Using HTTP instead of HTTPS - Base64 is not encryption. Sending Basic Auth over plain HTTP exposes credentials to anyone on the network.
- Hardcoding credentials in source code - Store credentials in environment variables or a secrets manager, never in code repositories. Git history preserves secrets even after they are removed from the latest commit.
- Not URL-encoding special characters in curl -u - Characters like @, :, and # in passwords can confuse curl's URL parser. Wrap the credentials in quotes or use the --user flag separately.
- Ignoring the charset parameter - RFC 7617 introduced charset=UTF-8 for non-ASCII credentials, but many clients and servers do not implement it. Stick to ASCII characters in credentials when possible to avoid interoperability issues.
- Not rotating credentials - Unlike tokens, Basic Auth credentials tend to be long-lived. Set up credential rotation schedules, especially for service accounts and CI/CD pipelines.
- Sharing credentials across environments - Development, staging, and production should each have unique credentials. Reusing the same username and password across environments means a leak in one environment compromises all of them.
For encoding arbitrary data as Base64 (not just auth credentials), the Base64 Encoder/Decoder handles text and binary input. For generating secure passwords to use with Basic Auth, the Password Generator creates random strings with configurable length and character sets.
Sources
Frequently Asked Questions
What is HTTP Basic Authentication?
Basic Auth is a simple authentication scheme built into HTTP. The client sends a header containing the word Basic followed by a Base64-encoded string of the username and password joined with a colon (username:password).
Is Basic Auth secure?
Basic Auth only encodes credentials in Base64, which is trivially reversible. It provides no encryption on its own. You must always use HTTPS to protect Basic Auth credentials in transit.
When should I use Basic Auth?
Basic Auth works well for simple API authentication, internal tools, CI/CD webhooks, and quick prototypes. For user-facing applications, token-based auth like JWT or OAuth is generally preferred.
Does this tool send my credentials anywhere?
No. All encoding runs entirely in your browser using the built-in btoa function. Nothing is sent to any server.
What characters are allowed in the username and password?
Any characters that can be Base64-encoded are supported. However, some servers have restrictions on special characters. The colon character in the username may cause issues since the colon is used as the separator between username and password.
Related Tools
Link to this tool
Copy this HTML to link to this tool from your website or blog.
<a href="https://toolboxkit.io/tools/basic-auth-generator/" title="Basic Auth Generator - Free Online Tool">Try Basic Auth Generator on ToolboxKit.io</a>