What Is HTTP Basic Authentication?
HTTP Basic Authentication is the simplest form of HTTP authentication. A client sends a username and password with every request, encoded in Base64 and placed in the Authorization header. Despite its simplicity, it's widely used for API access, protecting development environments, and quick authentication needs.
How Basic Auth Works
The authentication flow:
- Client makes request without credentials
- Server responds with
401 UnauthorizedandWWW-Authenticate: Basic realm="Description" - Client sends request with
Authorization: Basic [base64(username:password)] - Server decodes and verifies credentials
- If valid, request proceeds; if invalid, another 401 is returned
The Base64 encoding:
username: admin
password: secret123
Combined: admin:secret123
Base64: YWRtaW46c2VjcmV0MTIz
Header: Authorization: Basic YWRtaW46c2VjcmV0MTIz
The Authorization Header Format
Every Basic Auth request carries one header, and the format never changes:
Authorization: Basic <base64(username:password)>
Three parts matter: the header name Authorization, the scheme keyword Basic (capital B, then a single space), and the Base64 token. A complete example with username admin and password secret123:
GET /api/orders HTTP/1.1
Host: api.example.com
Authorization: Basic YWRtaW46c2VjcmV0MTIz
A frequent cause of 401 responses is a malformed header — a missing Basic prefix, lowercase basic on a strict server, or stray whitespace around the token. The scheme name is case-insensitive per RFC 7617, but most clients send Basic exactly as shown.
Encoding Credentials Step by Step
The token is built in three deterministic steps:
- Join username and password with a single colon:
admin:secret123. The username cannot contain a colon; the password can. - Treat that string as UTF-8 bytes.
- Base64-encode the bytes →
YWRtaW46c2VjcmV0MTIz.
On the command line:
printf '%s' 'admin:secret123' | base64
# YWRtaW46c2VjcmV0MTIz
Use printf (or echo -n) instead of echo — a trailing newline changes the token and produces credentials the server will reject.
How to Decode a Basic Auth Header
Decoding is the exact reverse: take the value after Basic and Base64-decode it back to username:password.
echo 'YWRtaW46c2VjcmV0MTIz' | base64 --decode
# admin:secret123
Because anyone can do this in one step, an intercepted Authorization header is fully exposed credentials. Decoding is for debugging — verifying a client sent what you expected — never a security boundary. The generator above includes a decode mode for pasting an existing header.
Basic Auth in a URL
Credentials can be embedded directly in a URL using the user:password@host form:
https://admin:secret123@api.example.com/data
A client splits off the credentials and converts them into an Authorization: Basic header for you. Three things to know before relying on it:
- Modern browsers strip credentials from the address bar and warn about embedded passwords, because the pattern is widely abused in phishing.
- The browser
fetch()API ignores credentials in the URL — set the header explicitly instead. - Credentials in URLs leak into browser history, server access logs, and
Refererheaders. For anything beyond a quick local test, send the header instead.
Security Considerations
Base64 Is Not Encryption
Base64 encoding is trivially reversible — it provides zero security. Anyone who intercepts the Authorization header can decode it instantly. Always use HTTPS with Basic Auth to prevent credential interception.
Without HTTPS, Basic Auth credentials are sent in plaintext over the network. This is why Basic Auth over HTTP is considered insecure for anything beyond local development.
Credential Exposure
The Authorization header is often logged by web servers, proxies, and CDNs. Ensure your logging configurations exclude sensitive headers or redact credential values.
No Logout Mechanism
Basic Auth has no built-in logout. Browsers cache credentials for the session. Clearing browser cache or closing the browser is required to "log out."
Credential Management
Since credentials are sent with every request, they must be stored and transmitted carefully:
- Store hashed versions server-side (bcrypt)
- Rotate credentials regularly
- Use per-client credentials (different passwords per API consumer)
When to Use Basic Auth
Appropriate uses:
- Internal tools protected behind VPN or firewall
- Simple API authentication for internal services
- Development and staging environment access control
- Quick protection for low-sensitivity resources
- Machine-to-machine API access (service accounts)
Not appropriate for:
- End-user authentication in consumer applications
- Resources accessible without HTTPS
- High-security systems requiring more sophisticated auth
- Systems that need session management or SSO
Basic Auth in Practice
Nginx Configuration
server {
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
Generate htpasswd file:
htpasswd -c /etc/nginx/.htpasswd username
Apache Configuration
<Directory "/var/www/html/admin">
AuthType Basic
AuthName "Admin Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
Using curl
curl -u username:password https://api.example.com/endpoint
# or with explicit header
curl -H "Authorization: Basic $(echo -n 'user:pass' | base64)" https://api.example.com/endpoint
JavaScript Fetch API
const credentials = btoa('username:password');
fetch('https://api.example.com/data', {
headers: {
'Authorization': `Basic ${credentials}`
}
});
Python requests
import requests
response = requests.get(
'https://api.example.com/data',
auth=('username', 'password')
)
Using the Basic Auth Generator
Our tool:
- Enter username and password
- Generates the Base64 credential automatically
- Shows the complete Authorization header ready to copy
- Decode mode — paste an existing Basic Auth header to see credentials
- curl command — generates the complete curl command with authentication
Use it for quickly generating auth headers during API testing, debugging authentication issues, and generating credentials for documentation examples.
Frequently Asked Questions
What is the format of a Basic Auth header?
Authorization: Basic <token>, where <token> is the Base64 encoding of username:password. For admin:secret123 the header is Authorization: Basic YWRtaW46c2VjcmV0MTIz.
How do I decode a Basic Auth header?
Remove the Basic prefix and Base64-decode the rest. echo 'YWRtaW46c2VjcmV0MTIz' | base64 --decode returns admin:secret123. No key or password is required — Base64 is reversible by anyone.
Is Basic Authentication secure? Only over HTTPS. Credentials are encoded, not encrypted, so over plain HTTP they travel in effectively cleartext. With TLS the header is protected in transit, which makes Basic Auth acceptable for internal APIs and machine-to-machine calls.
What is the difference between Basic and Bearer authorization?
Basic sends reusable username:password credentials on every request. Bearer sends a token (often a JWT or OAuth access token) that can expire and carry scopes. Bearer suits user-facing apps; Basic is simplest for service accounts and internal tooling.
Can I put Basic Auth credentials in a URL?
Yes, as https://user:pass@host, and tools like curl convert them to a header. But browsers warn about and often ignore it, and the credentials leak into logs and history — so the header form is safer.
Why does Basic Auth fail when the password is correct?
The usual culprits are a stray newline from echo instead of echo -n/printf, a missing Basic prefix, or a colon inside the username. Re-encode with printf '%s' 'user:pass' | base64 and compare the token.