Basic Auth Header Generator

Build an HTTP Authorization: Basic header from a username and password, and decode one back. Basic auth simply base64-encodes username:password — it is encoding, not encryption — so this tool shows you the exact header value to drop into a curl command, an API client, or a test. Decoding goes the other way, splitting a header back into its credentials. Everything is computed locally; nothing is sent.

Encode → header

Username Password

Authorization header

base64 token only

Decode ← header

Paste a header or base64 token

How to use the Basic Auth Header Generator

Type a username and password in the encode section. The full Authorization: Basic … header and the bare base64 token both update live — copy whichever your client needs. In curl you would use -H "Authorization: Basic …" or simply -u user:pass, which builds the same header for you.

To inspect a header you already have, paste it into the decode box. The tool accepts the whole header line, just the Basic … part, or only the base64 token, and shows the username and password it contains. This is useful for debugging a request or confirming what credentials a stored header actually carries.

How HTTP Basic authentication works

HTTP Basic authentication is defined in RFC 7617. The client joins the username and password with a single colon, encodes the result as base64, and sends it in an Authorization header prefixed with the word Basic. The server decodes the token, splits on the first colon, and checks the credentials. That is the entire protocol — there is no challenge-response, no hashing, and no nonce.

The crucial point is that base64 is encoding, not encryption. Anyone who sees the header can decode it back to the plaintext password instantly, as the decode side of this tool demonstrates. Basic auth therefore provides no confidentiality on its own; its only safe use is over HTTPS, where TLS encrypts the whole request including the header. Sent over plain HTTP, the password is effectively in the clear.

Because the credentials travel with every request rather than being exchanged once for a session token, Basic auth is best suited to machine-to-machine APIs, internal tools, and quick tests rather than user-facing logins. A subtlety worth knowing: a username containing a colon cannot be represented, since the server splits on the first colon — passwords may contain colons, but usernames may not. Non-ASCII characters are encoded as UTF-8 bytes before base64, which this tool handles correctly.

Common use cases

Calling an API. Build the exact header for a service that uses Basic auth.
Debugging requests. Decode a captured Authorization header to see which credentials it carries.
Scripting and tests. Generate a token to paste into a test fixture or environment variable.
Learning the format. See plainly that Basic auth is reversible base64, not encryption.

Frequently asked questions

Is Basic auth secure?

Only over HTTPS. The credentials are base64-encoded, which is trivially reversible, so on plain HTTP the password is effectively sent in the clear. TLS encrypts the entire request including the Authorization header, which is what makes Basic auth safe to use.

Is base64 the same as encryption?

No. Base64 is a reversible encoding with no key — anyone can decode it. It exists to represent binary or text safely in a header, not to protect it. The decode side of this tool recovers the original password instantly to make that clear.

Can the username contain a colon?

No. The server splits the decoded token on the first colon, so a colon in the username is impossible to represent. The password may contain colons, since everything after the first one is taken as the password.

How are non-ASCII characters handled?

The username and password are encoded as UTF-8 bytes before base64, per the recommended behaviour in RFC 7617. This tool uses UTF-8 in both directions, so accented and non-Latin characters round-trip correctly.

Does curl -u do the same thing?

Yes. curl -u user:pass constructs exactly this Authorization: Basic header for you. Generating the header manually is useful when your client does not have a -u equivalent or when you want to inspect the value.