Basic Auth Generator: Create HTTP Basic Authentication Headers

What Is HTTP Basic Authentication?

HTTP Basic Authentication is defined in RFC 7617. When a client wants to authenticate, it sends an `Authorization` header with the value `Basic <credentials>`, where `<credentials>` is the Base64 encoding of the string `username:password`.

For example, for username `admin` and password `secret`, the combined string is `admin:secret`. Base64-encoding this gives `YWRtaW46c2VjcmV0`. The full header value is `Basic YWRtaW46c2VjcmV0`.

It's important to understand that Base64 encoding is not encryption — it is trivially reversible. The credentials are essentially sent in plain text. This means Basic Auth must always be used over HTTPS to prevent the credentials from being intercepted in transit. When used over plain HTTP, anyone on the network can read the credentials.

How to Use This Tool

Generate a Basic Auth header value in seconds.

1. 1

   Enter your username

   Type the username (or API key) into the Username field. This is the first part of the credential string.

2. 2

   Enter your password

   Type the password (or API secret/token) into the Password field. The tool shows the field as masked by default for privacy.

3. 3

   Click Generate

   The tool combines the values as `username:password`, Base64-encodes the combined string, and prepends `Basic ` to form the complete header value.

4. 4

   Copy the header value

   Click the copy button to copy the full `Authorization: Basic <value>` header, or just the Base64 token portion, for use in your request.

5. 5

   Use in cURL, Postman, or code

   Paste the header value into your HTTP client. In cURL, use the `-H 'Authorization: Basic <value>'` flag, or the shorthand `--user username:password` which cURL encodes automatically.

Common Use Cases

Basic Auth is used in many situations where simple credential-based authentication is needed.

• Authenticating to REST APIs that use Basic Auth — many payment gateways, CRMs, and internal APIs use API key + secret as Basic Auth credentials.
• Configuring CI/CD pipeline calls to protected endpoints — generating the token once and storing it as a secret environment variable.
• Testing authentication in Postman or Insomnia — quickly generating the token to paste into the Authorization tab.
• Setting up HTTP Basic Auth on nginx or Apache — generating the encoded credentials for use in server configuration or `.htpasswd` files.
• Writing integration test fixtures — encoding known test credentials to use in automated test request headers.

Tips and Best Practices

Follow these security guidelines when using HTTP Basic Authentication.

• Always use HTTPS — Basic Auth credentials are only Base64-encoded, not encrypted. Over plain HTTP, they can be intercepted trivially.
• Never hardcode credentials — store the generated token in environment variables or a secrets manager, not in your source code.
• Use API keys instead of real user passwords when possible — if the key is compromised, it can be rotated without affecting the user's account.
• Rotate credentials regularly — and immediately rotate them if you suspect they may have been exposed (e.g., accidentally committed to a repository).
• Consider OAuth or token-based auth for user-facing flows — Basic Auth is most appropriate for machine-to-machine server communication.

Frequently Asked Questions