How is the Basic Auth value built?

The username and password are joined with a colon (username:password) and Base64-encoded. The result is prefixed with "Basic " to form the Authorization header value.

Is Basic Auth secure?

Base64 is encoding, not encryption — anyone can decode it. Basic Auth is only safe over HTTPS, which encrypts the header in transit. Never use it over plain HTTP.

Is my password sent anywhere?

No. Encoding happens entirely in your browser with the built-in btoa function — your credentials never leave your device.

Can the password contain a colon?

Yes. Only the first colon separates the username from the password, so colons inside the password are preserved correctly after encoding and decoding.

Why does my header differ from an online decoder’s expectation?

The credentials are UTF-8 encoded before Base64, which is the correct behaviour for non-ASCII characters. Tools that assume Latin-1 may show a different string for accented usernames or passwords.

Should I reuse the same Basic Auth header everywhere?

Treat the generated value as a secret. Because it encodes your real credentials, avoid committing it to version control or sharing it, and rotate the underlying password if it is exposed.

Basic Auth Header Generator

Enter a username and password to get the ready-to-paste Authorization: Basic header and curl snippet — encoded entirely in your browser.

Updated June 2026

Files never leave your browser

Username

Password

Enter a username and password to generate the header.

How to use Basic Auth Header Generator

The Basic Auth Header Generator builds an HTTP Basic Authentication header from a username and password, encoding it locally in your browser. It joins the credentials with a colon, Base64-encodes them, and prefixes the result with "Basic " to produce the exact value you place in an Authorization header. You get both the ready-to-paste header and a matching curl command. Because encoding happens entirely client-side with the built-in btoa function, your credentials are never transmitted anywhere.

Enter the username in the username field.
Enter the password, optionally clicking "Show" to confirm it.
The Authorization header and curl example update automatically.
Copy the Authorization header to paste into your HTTP client or config.
Use the curl snippet to test the request directly from a terminal.

Your data never leaves your device — 100% private processing.

How HTTP Basic Authentication works

Basic Authentication is defined in RFC 7617 as the simplest HTTP auth scheme. The client concatenates the username and password with a single colon, Base64-encodes the resulting UTF-8 bytes, and sends them in an Authorization header as "Basic " followed by the encoded string. The server decodes the value, splits on the first colon, and checks the credentials. Because the username cannot contain a colon (the first colon is treated as the separator) while the password can, credentials with colons in the password still work correctly. The scheme is stateless — the header is sent with every request rather than establishing a session.

Building a Basic Auth header
Step	Example
Combine credentials	aladdin:opensesame
Base64 encode	YWxhZGRpbjpvcGVuc2VzYW1l
Add scheme prefix	Basic YWxhZGRpbjpvcGVuc2VzYW1l
Send as header	Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

Security considerations you must not ignore

Base64 is an encoding, not encryption — anyone who intercepts the header can decode the username and password instantly. This means Basic Auth is only safe over HTTPS, where TLS encrypts the entire request including the header in transit. Never send Basic Auth over plain HTTP, and avoid putting credentials in URLs where they can be logged. For anything beyond simple internal tooling or quick tests, prefer token-based schemes such as OAuth 2.0 bearer tokens or API keys with scoped permissions, which can be rotated and revoked without changing a user’s password. Treat any generated header containing real credentials as a secret and keep it out of version control.

Worked examples

Generate a header

Inputs: aladdin / opensesame

Result: Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

Use in curl

Inputs: user / pass

Result: curl -H "Authorization: Basic dXNlcjpwYXNz" https://example.com

Glossary

Basic Authentication: An HTTP scheme (RFC 7617) that sends Base64-encoded username:password credentials in the Authorization header.
Authorization header: The HTTP request header that carries credentials, formatted as a scheme name followed by the credential value.
Base64: A binary-to-text encoding used to represent the credential bytes as ASCII; it is reversible and not a form of encryption.
Bearer token: A token-based credential, common in OAuth 2.0, that is sent in the Authorization header as an alternative to Basic Auth.
TLS / HTTPS: Transport-layer encryption that protects the Authorization header from interception, making Basic Auth safe to use.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use Basic Auth Header Generator?

Produce a correct Authorization: Basic header from any username and password
Get a matching curl snippet you can run or paste into documentation immediately
Toggle password visibility to verify what you typed before encoding
Handles Unicode credentials correctly via UTF-8 aware Base64 encoding
Encodes entirely in your browser, so credentials never leave your device

Common use cases

Authenticate a quick API request from curl, Postman or a fetch call
Add a Basic Auth header to a CI script or webhook configuration
Document how to call a protected endpoint with example credentials
Test a server’s Basic Auth challenge during development
Generate the header value for a tool that accepts a raw Authorization string

Related Developer Tools

Base64 Encoder & Decoder

Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.

JWT Decoder

Decode and inspect JSON Web Tokens (JWT) online. View header, payload, and expiry. 100% client-side — your token never leaves your browser.

Hash Generator

Generate cryptographic hashes online. Support for SHA-1, SHA-256, SHA-384, and SHA-512. Instant, secure, client-side.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.

Regex Tester

Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.

URL Encoder / Decoder

Encode and decode URLs and URL components online. Convert special characters to percent-encoding and back instantly — free, private, and fast.

Explore all Developer Tools.