Base64 Encoder for HTTP Basic Auth
Generate HTTP Basic Auth credentials in your browser. Encode username:password to the format the Authorization: Basic header expects.
Plain Text
Base64 Output
How HTTP Basic Auth Actually Works
HTTP Basic Authentication is the simplest auth scheme defined in RFC 7617: take a username and password, join them with a colon, Base64-encode the result, and send it in the Authorization: Basic <encoded> header. That's the entire protocol. The pre-loaded value above (admin:secret-password-123) shows the input format. Click Encode to see the Base64 output that goes into your header — for that input, YWRtaW46c2VjcmV0LXBhc3N3b3JkLTEyMw==.
The Format Is Strict — Get It Wrong and Auth Silently Fails
- Single colon separator. If your password contains a colon, you must escape it or use a different auth scheme. Basic Auth has no escaping mechanism — the first colon wins.
- UTF-8 encoding. The pre-encoding string should be UTF-8 bytes, not Latin-1. Most servers handle this correctly, but mismatches cause "wrong password" errors with Unicode passwords.
- Standard Base64, not URL-safe. Use
+and/, not-and_. The=padding must be included. - No newlines in the output. Some encoders wrap Base64 at 64 characters. Strip all whitespace before putting the value in the header.
The Final HTTP Header
Once you have the Base64 string, the full header is:
Authorization: Basic YWRtaW46c2VjcmV0LXBhc3N3b3JkLTEyMw==Note the literal word Basic followed by a single space, then the encoded value. curl handles this automatically with -u username:password — useful for confirming your manually-encoded value matches what curl produces.
Security Caveats
Basic Auth is not encryption. Base64 is encoding, not hashing. Anyone who captures the header can recover the original password instantly. Always use Basic Auth over HTTPS — never over plain HTTP. Even over HTTPS, it's worth thinking twice: every request carries the password, so any server-side logging of full headers leaks credentials.
Prefer API tokens or OAuth where possible. Basic Auth is fine for personal scripts hitting your own API, server-to-server calls in a private network, and dev environments. Production user-facing auth should use sessions (with httpOnly cookies) or OAuth bearer tokens.
Common Use Cases for Basic Auth Today
- Calling private package registries (npm, PyPI, Docker Hub) — they accept Basic Auth with a username and access token.
- GitHub API access via Personal Access Tokens (legacy — fine-grained tokens are now preferred).
- Internal admin endpoints behind a VPN.
- Webhook verification when the receiver expects pre-shared credentials.
Related Tools
- Generic Base64 Encoder/Decoder
- Hash Generator — for stronger auth schemes (HMAC, SHA-256)
- URL Encoder
- JWT Decoder — for Bearer token auth
Common Use Cases
Related Articles
What is Base64 Encoding? A Developer's Guide
Learn what Base64 encoding is, how it works, and when to use it. A comprehensive guide with examples for web developers.
Base64 Encoding in JavaScript, Python & Go: Practical Examples
Learn how to encode and decode Base64 in JavaScript (browser & Node.js), Python, and Go with practical, copy-paste-ready code examples.