Overview
Generate an HTTP Basic Auth header
HTTP Basic Authentication is the simplest way for a client to prove who it is. The client joins a username and password with a colon, encodes the result as Base64, and sends it in anAuthorization header. The server decodes the value, checks the credentials, and either grants or refuses access.
ToolHub Basic Auth Header Generator turns a username and password into a ready-to-use Authorization: Basic header, the bare Base64 token, and a curl command you can paste into a terminal. Everything happens in your browser, so your credentials never leave your machine.
Step-by-step
How to build a Basic Auth header
- 1
Enter your username
Type the account name the server expects. The header updates instantly as you type. - 2
Enter your password
The password field shows the value in plain text so you can confirm it. It is combined with the username as username:password. - 3
Copy the header or curl
Grab the fullAuthorization: Basic <token>line, just the token, or the curl example with one click.
Background
What the header actually contains
The value after Basic is the Base64 of the literal string username:password. Base64 maps bytes onto a safe set of ASCII characters so the credentials survive being sent in a header. Because the colon separates the two fields, a username must not contain a colon, though the password may.
Why UTF-8 encoding matters
If a username or password contains accented letters or non-Latin characters, those have to be turned into bytes before Base64 can run. This tool encodes the credentials as UTF-8 first, so names in any script round trip correctly instead of producing a broken token.
Encoding is not encryption
Base64 hides nothing. Anyone who captures the header can decode it back to the original username and password in seconds. That is why Basic Auth is only safe when the connection itself is encrypted with HTTPS.
Use cases
When to use a Basic Auth header
Calling an API from curl
Paste the generated curl command to hit an endpoint protected by Basic Auth while testing.
Configuring webhooks
Many services accept a Basic Auth header so they can authenticate when calling your endpoint.
Scripting health checks
Drop the token into a monitoring script that pings a protected internal service.
Testing in Postman or Insomnia
Copy the header value into a request to reproduce exactly what a client sends.
Accessing private package registries
Some npm, PyPI, and Docker registries authenticate with a Basic Auth header.
Protecting a staging site
Confirm the header your reverse proxy expects when you put a site behind a simple login.
Tips and best practices
- Only send Basic Auth over HTTPS. On plain HTTP the credentials are trivially readable.
- Treat the token like a password. Anyone holding it can act as that user.
- A username cannot contain a colon, since the colon separates it from the password.
- Prefer tokens or OAuth for public APIs. Basic Auth is best for simple internal or test cases.
- Rotate credentials if a header is ever pasted into a log, ticket, or shared chat.
Common questions
Is my username or password sent anywhere?
No. The Base64 encoding runs entirely in your browser with the built-in TextEncoder and btoa functions. Nothing is uploaded to a server.
Can someone decode the token back to my password?
Yes. Base64 is reversible, so the token is only as private as the channel that carries it. Always use HTTPS so the header is encrypted in transit.
Why does the token change for every keystroke?
The token is the Base64 of the full username:password string, so any change to either field produces a different encoded value. That is expected and shows the header staying in sync with your input.
What does the Basic keyword mean?
It names the authentication scheme. The server reads Basic to know it should Base64-decode the rest of the value and split it on the colon into a username and password.
100% private