ToolJutsu
All tools
Developer Tools

HTTP Basic Auth Generator

Build the HTTP Basic Auth Authorization header from a user and password.

⚠ Base64 is encoding, not encryption — anyone who sees this header can read the credentials. Always send HTTP Basic Auth over HTTPS. Prefer token-based authentication where possible.
Processed on your device. We never see your files.

How to use HTTP Basic Auth Generator

What is HTTP Basic Authentication?

HTTP Basic Authentication is the original authentication scheme of the web, standardised in RFC 7617 (which obsoleted the older RFC 2617). A client puts a username and password into a single header:

Authorization: Basic <base64(username:password)>

The server decodes the Base64, splits on the first colon, and checks the resulting credentials against whatever store it uses. There are no cookies, no tokens, no session state — the credentials are sent on every request, in full, by the client. That simplicity is both its strength and its weakness.

How the header is built

The construction is mechanical:

  1. Concatenate username, a single colon :, and password.
  2. Encode the resulting string as UTF-8 bytes.
  3. Base64-encode those bytes (standard alphabet, with padding).
  4. Prefix Basic (with the trailing space) and that is the header value.

So alice + : + s3cret! becomes YWxpY2U6czNjcmV0IQ==, which the client sends as Authorization: Basic YWxpY2U6czNjcmV0IQ==. The username may not contain a colon (the spec uses the first colon as the separator); the password may. Both should be valid UTF-8.

Important: Base64 is a transport encoding, not encryption. Anyone who intercepts the header can recover the original credentials with a single decode. This is why Basic Auth without HTTPS is effectively sending the password in cleartext.

Common use cases

  • Server-to-server APIs. A backend service calls an internal API using a dedicated robot account; Basic Auth in the request header is simple, well-understood, and easy to debug with curl.
  • Webhook receivers. A vendor needs to POST events to your endpoint; a fixed Basic-Auth credential per vendor gives you a per-source shared secret without inventing a token system.
  • Internal admin tools and dashboards. Stuck behind a VPN, on HTTPS, often the right amount of authentication for a low-traffic page nobody outside the team should reach.
  • Local development. Quickly add --user to a curl command to hit a protected dev endpoint without spinning up a full OAuth flow.
  • Legacy systems. Plenty of older SaaS APIs (especially around email, monitoring and CI) still accept or require Basic Auth, often with the API key as the username and an empty password.

How to use this HTTP Basic Auth generator

  1. Type the username into the first field and the password into the second. Both are masked by default; use the eye toggle to reveal while you check for typos.
  2. The tool builds the username:password string, Base64-encodes it, and shows the full Authorization: Basic … header in the output area. The pure encoded value is shown separately if you only need the suffix.
  3. Copy the line you need. For most clients that is the full header. For curl -u, you can ignore the encoded value and pass the raw credentials directly.
  4. To rotate credentials, change either field — the output updates live. Nothing is stored across page reloads.

Security considerations

  • Always HTTPS. Without TLS, Basic Auth is the same as putting the password in a query string. Treat any non-HTTPS endpoint with Basic Auth as compromised by default.
  • Avoid logging the header. Make sure your access logs, error trackers, and proxy logs strip or redact the Authorization header. Leaking Base64-encoded credentials into a log file is the same as leaking the credentials.
  • Per-service credentials. Don’t share one Basic-Auth credential across multiple callers — you lose the ability to rotate one without breaking the others, and you lose attribution in logs.
  • Prefer Bearer tokens for new public APIs. Basic Auth has no expiry, no scopes, and no clean revocation; a token does.
  • Rate-limit Basic Auth endpoints. Because the credential is sent on every request, brute-force attempts are easy; cap request rates per IP and per username.

Privacy

This generator runs entirely in your browser. The username and password fields are read by client-side JavaScript, joined with a colon, and passed to the browser’s built-in btoa() function. There is no upload, no server-side log, and no analytics on the values you type. You can verify in the browser’s Network tab, or simply disconnect from the network after loading the page — the tool keeps working offline.

Compatibility notes

Every HTTP client in active use accepts Authorization: Basic … exactly as produced here — curl, wget, browsers, Postman, Insomnia, HTTPie, every server-side HTTP library in Node, Python, Go, Ruby, Java, .NET and Rust. The Base64 encoding uses the standard alphabet defined in RFC 4648 §4, which is what every Base64 decoder expects. The tool needs only btoa() and basic DOM APIs and works in every browser released in the last decade.

Frequently asked questions

Is HTTP Basic Auth secure?
Only when used over HTTPS. The Authorization: Basic … header is Base64 — that is an encoding, not encryption. Anyone who can read the bytes can decode them back to username:password in a single line of Python. Over plain HTTP the credentials are effectively in cleartext for every router, proxy and observer between the client and the server. Over HTTPS the TLS layer protects them in transit, and Basic Auth becomes a reasonable choice for server-to-server calls and internal admin tooling. The rule is simple: never put Basic Auth on a non-HTTPS endpoint, even on a private network.
How do I use the generated header in curl?
Two ways. The explicit way is curl -H 'Authorization: Basic dXNlcjpwYXNz' https://api.example.com/, pasting the value this tool produced. The shortcut is curl -u user:pass https://api.example.com/ — curl Base64-encodes the credentials and adds the header for you. In Postman, pick the Authorization tab, choose Basic Auth, fill in username and password, and Postman builds the same header. In fetch, pass { headers: { Authorization: 'Basic ' + btoa('user:pass') } }.
How does a user log out of HTTP Basic Auth?
Cleanly, they don't. There is no Logout header and no server-side session to invalidate, because Basic Auth is stateless — the browser caches the credentials and re-sends them on every request to the realm until the tab is closed or the cache is cleared. Some browsers expose a chrome://settings/passwords or equivalent UI; others require closing all windows. This is one of the main reasons modern user-facing apps use cookie or token sessions instead: you can revoke a session, you cannot revoke a Basic Auth header. For machine-to-machine traffic this limitation usually does not matter.
Should I use Basic Auth or a Bearer token?
For new designs, prefer Bearer tokens (Authorization: Bearer …). They decouple the credential from the user's password, can be rotated independently, can carry scopes and expiry, and fit cleanly into OAuth 2.0 / JWT flows. Basic Auth is still appropriate for: simple internal admin pages behind a VPN, webhook receivers that just need a shared-secret check, server-to-server calls where the calling service holds a dedicated robot credential, and quick development/debugging. If you find yourself reaching for Basic Auth on a public-facing user app in 2026, reach for a token instead.
Does this tool send my credentials anywhere?
No. The username and password never leave your browser. The string user:pass is built in JavaScript and encoded with the browser's built-in btoa() function on your CPU. There is no network request, no analytics on the values, and no server-side log. You can verify in the browser's Network tab, or load the page once and disconnect from the network — the encoding keeps working offline.

Related tools

Base64 Encoder & Decoder

Encode and decode Base64, with full UTF-8 support.

Base64 Decoder

Decode Base64 strings back to UTF-8 text in your browser.

JWT Decoder

Decode and inspect JSON Web Token headers and payloads.

URL Encoder & Decoder

Encode and decode URL-safe text.

Random Token Generator

Generate secure random tokens — alphanumeric, hex, base64url or URL-safe.

Password Generator

Generate strong, configurable passwords.