BrowserTools
Advertisement
Home / Encoders / Basic Auth Header Generator

Basic Auth Header Generator

Build and decode HTTP Basic authentication headers from a username and password, entirely in your browser.

Loading Basic Auth Header Generator… If nothing happens, please enable JavaScript.

HTTP Basic authentication is the simplest credential scheme defined for the web, specified in RFC 7617. To authenticate, a client combines a username and password into a single string separated by a colon, base64-encodes that string, and sends it in an Authorization header prefixed with the word Basic. A request to a protected endpoint therefore carries a header such as Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l. Because the scheme is built into virtually every HTTP client, library, and API gateway, it remains a common choice for internal services, scripts, webhooks, and quick API testing where a full token-based flow would be overkill.

Frequently asked questions

Are my username and password sent anywhere?
No. The encoding and decoding both run entirely in your browser using built-in APIs. The credentials you type are never uploaded, logged, or transmitted to any server. The tool keeps working offline once the page has loaded, so it is safe to use with real credentials during development.
How is a Basic auth header constructed?
The username and password are joined with a single colon into one string, for example aladdin:opensesame. That string is encoded as UTF-8 bytes and then base64-encoded, producing YWxhZGRpbjpvcGVuc2VzYW1l. The final header is the word Basic, a space, and that token: Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l.
Is Basic authentication secure?
Basic auth provides no confidentiality by itself. The base64 token is trivially reversible, so anyone who intercepts it learns the password instantly. It is only safe when sent over HTTPS, where TLS encrypts the entire request including the header. Never send Basic auth over plain HTTP, and prefer token-based schemes such as Bearer tokens or OAuth for anything beyond simple internal use.
What happens if my password contains a colon?
Only the first colon separates the username from the password, so a password may safely contain additional colons. The username, however, must not contain a colon, because the server splits on the first one. When decoding, this tool also splits on the first colon, preserving any further colons as part of the password.
Does it handle non-ASCII characters correctly?
Yes. The tool encodes the username and password as UTF-8 before base64, so accented letters, non-Latin scripts, and emoji are preserved exactly. Plain browser base64 only supports Latin-1 and would throw an error or corrupt such characters, so this UTF-8-safe approach matches what compliant HTTP clients and servers do under RFC 7617.
Can I decode a token I already have?
Yes. Switch to the Decode tab and paste either a bare base64 token or a full Authorization header. The tool strips the Authorization and Basic prefixes automatically, base64-decodes the value, and splits it on the first colon to show the original username and password.
Why does decoding sometimes fail or show no colon?
Decoding fails if the pasted value is not valid base64, often because of stray spaces, a truncated copy, or a different auth scheme such as Bearer. If it decodes but contains no colon, the token is probably not a Basic auth credential pair, since the scheme always embeds a username:password string.
How do I use the generated header with curl?
Copy the full header line and pass it with the -H flag, for example curl -H "Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l" https://api.example.com. Alternatively, curl can build the header for you with the -u flag: curl -u aladdin:opensesame https://api.example.com produces the same result.

About Basic Auth Header Generator

This generator turns a username and password into both the complete Authorization header and the bare base64 token, each with its own copy button so you can drop the value straight into curl, Postman, a fetch call, or a config file. It uses a UTF-8-safe encoder, which matters because plain base64 in the browser only handles Latin-1 characters by default. If your username or password contains accented letters, emoji, or any non-ASCII character, the tool encodes the bytes correctly so the receiving server reconstructs the exact credentials you typed. The reverse direction is supported too: paste a base64 token or a full Authorization header and the tool splits it back into the username and password it represents.

Everything happens locally in your browser. The credentials you enter are never uploaded, transmitted, or stored on any server, which makes the tool safe for real usernames and passwords during development and debugging. That said, Basic authentication offers no confidentiality on its own. The base64 step is reversible by anyone, so it is encoding, not encryption. Basic auth should only ever be sent over HTTPS, where TLS protects the header in transit. Use this tool to construct headers for testing and to inspect tokens you have received, and keep production credentials in a proper secret store rather than hard-coded in scripts.

The oldest authentication scheme still on the web

HTTP Basic authentication dates back to the original HTTP/1.0 specification in 1996 and has survived essentially unchanged ever since. Its mechanism is almost comically simple: take a username and password, glue them together with a colon, base64-encode the result, and send it. There is no hashing, no nonce, no challenge-response handshake of the kind found in Digest authentication. The base64 step exists purely to make arbitrary credential bytes safe to place in an HTTP header, not to hide anything.

That simplicity is exactly why it remains everywhere. Almost every HTTP library exposes a one-line helper for it, API gateways and reverse proxies support it natively, and developers can construct the header by hand when debugging. Internal microservices, monitoring endpoints, package registries, and countless legacy systems still rely on it because it is universally understood and requires no extra infrastructure. The catch is that the credentials travel on every single request, so the security of the whole scheme rests entirely on the transport layer underneath it.

The famous example credentials aladdin and opensesame, which appear in RFC 7617 and in many tutorials, are a nod to the tale of Ali Baba and the forty thieves, where opensesame is the magic phrase that opens the hidden cave. It is a fitting metaphor for an authentication scheme: speak the right secret and the door swings open. The lesson the story and the scheme share is the same, a spoken or transmitted secret is only as safe as the ears that might be listening, which is why Basic auth belongs strictly inside an HTTPS tunnel.

Advertisement
Advertisement
Advertisement