Basic Auth Header Generator
HTTP Basic Auth puts credentials in the Authorization header as the word Basic followed by base64(username:password). Enter a username and password below to generate the exact header value — computed locally, nothing is sent.
How to generate a Basic Auth header
Type a username and password into the fields above. As you type, the tool joins them with a colon (username:password), Base64-encodes that string, and shows the complete header — Authorization: Basic <token> — along with the token on its own. Click Copy next to whichever one you need. Everything is computed locally in your browser.
How Basic Authentication works
HTTP Basic Authentication is defined in RFC 7617. The client concatenates the user id and password with a single colon, Base64-encodes the resulting UTF-8 string, and puts it in the request header after the scheme name Basic:
Authorization: Basic dXNlcjpwYXNz
Here dXNlcjpwYXNz is simply base64("user:pass"). On the server side, the value is Base64-decoded and split on the first colon to recover the credentials. Because the username cannot contain a colon, only the first colon is treated as the separator.
With curl you can send the header directly, or let curl build it for you from a user:pass pair:
curl -H "Authorization: Basic dXNlcjpwYXNz" https://api.example.com
curl -u user:pass https://api.example.com
Is Basic Auth secure?
Only over TLS. The token is not encrypted — it is reversible Base64, so anyone who can read the request (on an open network, in logs, in a proxy) can recover the username and password instantly. Basic Auth is acceptable only when the connection is HTTPS, which encrypts the whole request including the header. Never send it over plain HTTP, and avoid logging the Authorization header. For a fuller treatment, see Base64 and HTTP Basic Auth.
Is this private?
Yes. The header is generated entirely in your browser with JavaScript — your username and password are encoded locally and nothing is uploaded to any server. You can confirm in DevTools → Network: typing credentials and generating the header fires no request. That is also why it is safe that the password is shown in plain text here.
Frequently asked questions
How do I create a Basic Auth header?
Join the username and password with a colon (username:password), Base64-encode that string, and prefix it with the word Basic. The result is Authorization: Basic <token>. Enter your credentials in the generator above and it builds the exact header for you, locally.
Is Base64 in Basic Auth encryption?
No. Base64 is an encoding, not encryption. Anyone who sees the token can decode it back to the original username and password in seconds — there is no secret key. That is exactly why Basic Auth must only be used over HTTPS.
Do I need HTTPS for Basic Auth?
Yes. Because the credentials are only Base64-encoded, not encrypted, anyone who can read the request can recover them. Always send Basic Auth over HTTPS/TLS so the header is encrypted in transit.
How do I decode a Basic Auth header?
Use the decode box below. Paste the whole header or just the Base64 token; it strips the Authorization: Basic prefix, Base64-decodes the rest, and shows the original username:password.
Decode a Basic Auth header
Already have a header or token? Paste an Authorization header or a bare Base64 token below to recover the username:password. This also runs entirely in your browser.
Need plain Base64 encode/decode?
The main base64.dev tool handles text, files, and URL-safe mode with auto-detect.
Open base64.dev →