Basic Auth Header Generator
Build and decode HTTP Basic authentication headers from a username and password, entirely in your browser.
Loading Basic Auth Header Generator… If nothing happens, please enable JavaScript.
HTTP Basic authentication is the simplest credential scheme defined for the web, specified in RFC 7617. To authenticate, a client combines a username and password into a single string separated by a colon, base64-encodes that string, and sends it in an Authorization header prefixed with the word Basic. A request to a protected endpoint therefore carries a header such as Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l. Because the scheme is built into virtually every HTTP client, library, and API gateway, it remains a common choice for internal services, scripts, webhooks, and quick API testing where a full token-based flow would be overkill.
Frequently asked questions
Are my username and password sent anywhere?
How is a Basic auth header constructed?
Is Basic authentication secure?
What happens if my password contains a colon?
Does it handle non-ASCII characters correctly?
Can I decode a token I already have?
Why does decoding sometimes fail or show no colon?
How do I use the generated header with curl?
About Basic Auth Header Generator
This generator turns a username and password into both the complete Authorization header and the bare base64 token, each with its own copy button so you can drop the value straight into curl, Postman, a fetch call, or a config file. It uses a UTF-8-safe encoder, which matters because plain base64 in the browser only handles Latin-1 characters by default. If your username or password contains accented letters, emoji, or any non-ASCII character, the tool encodes the bytes correctly so the receiving server reconstructs the exact credentials you typed. The reverse direction is supported too: paste a base64 token or a full Authorization header and the tool splits it back into the username and password it represents.
Everything happens locally in your browser. The credentials you enter are never uploaded, transmitted, or stored on any server, which makes the tool safe for real usernames and passwords during development and debugging. That said, Basic authentication offers no confidentiality on its own. The base64 step is reversible by anyone, so it is encoding, not encryption. Basic auth should only ever be sent over HTTPS, where TLS protects the header in transit. Use this tool to construct headers for testing and to inspect tokens you have received, and keep production credentials in a proper secret store rather than hard-coded in scripts.
The oldest authentication scheme still on the web
HTTP Basic authentication dates back to the original HTTP/1.0 specification in 1996 and has survived essentially unchanged ever since. Its mechanism is almost comically simple: take a username and password, glue them together with a colon, base64-encode the result, and send it. There is no hashing, no nonce, no challenge-response handshake of the kind found in Digest authentication. The base64 step exists purely to make arbitrary credential bytes safe to place in an HTTP header, not to hide anything.
That simplicity is exactly why it remains everywhere. Almost every HTTP library exposes a one-line helper for it, API gateways and reverse proxies support it natively, and developers can construct the header by hand when debugging. Internal microservices, monitoring endpoints, package registries, and countless legacy systems still rely on it because it is universally understood and requires no extra infrastructure. The catch is that the credentials travel on every single request, so the security of the whole scheme rests entirely on the transport layer underneath it.
The famous example credentials aladdin and opensesame, which appear in RFC 7617 and in many tutorials, are a nod to the tale of Ali Baba and the forty thieves, where opensesame is the magic phrase that opens the hidden cave. It is a fitting metaphor for an authentication scheme: speak the right secret and the door swings open. The lesson the story and the scheme share is the same, a spoken or transmitted secret is only as safe as the ears that might be listening, which is why Basic auth belongs strictly inside an HTTPS tunnel.