Basic Auth Header Generator
Quickly generate or decode HTTP Basic Authentication headers from a username and password.
"Authorization: Basic โฆ", "Basic โฆ", or just the Base64 value โ all formats are recognized.
โ Basic authentication is not encryption. It merely Base64-encodes "username:password", which anyone can instantly revert to plain text (as demonstrated by the "Decode Header" tab on the right). Always use it only over HTTPS, and do not expose header values in URL queries, logs, or Git repositories. For public APIs, token-based authentication (Bearer, OAuth) is recommended.
All encoding and decoding occurs solely within your browser. The username and password you enter are not sent to any server, nor are they stored in your browser since they are credentials โ they will disappear upon refresh.
What is the Basic Auth Header Generator?
Quickly create HTTP Basic Authentication headers for API testing or development. This tool is a fast, secure alternative when you don't want to open a client like Postman, or just need a header value for a `curl` command. As you type a username and password, it instantly generates the full `Authorization: Basic ...` header. You can copy the complete string, the value part, or just the raw Base64 credentials. It also provides ready-to-use `curl` examples. Need to go the other way? Switch to `๐ Decode Header` mode to verify credentials from an existing header. All processing is done in your browser, so your sensitive data is never sent to our server.
How to use
- In `๐ Encode Header` mode, enter a `Username` and `Password`.
- The `Authorization Header (Full)`, `Header Value Only`, `Base64 Part Only`, and `curl Command Example` are generated instantly as you type.
- Click the `Copy` button next to the result you need for your API client or code.
- To reverse the process, switch to `๐ Decode Header` mode and paste a header to see the original username and password.
- Click `Insert Example` to pre-fill the fields and see how the tool works with sample data.
Basic Auth Header Generator guide
How this tool is used in real work, and what to watch out for.
Without HTTPS, It's Just Plain Text
Try pasting a header generated on the left into the "Decode Header" tab. The username and password reappear instantly. No key or secret is needed. That's because Base64 isn't encryption; it's just an encoding scheme for representing binary data as text.
This means that if you send a request over HTTP, anyone in the middleโanother user on public Wi-Fi, a corporate proxy, any device on the network pathโcan read the header and steal the credentials. There is exactly one safe way to use Basic authentication: *always* over HTTPS. This tool will also show a warning if the request URL doesn't start with `https://`.
- Don't embed credentials in the URL like `https://user:pass@host`. They will be saved in your shell history and server logs.
- Don't move credentials into query parameters. Queries are logged and can leak via referrers.
- Don't paste header values into Git repositories, issues, or wikis. A single decoding step reveals the password.
When to Use It, and When Not To
Basic authentication is old, but it still has its uses. The deciding factor is, "what happens if this gets compromised?"
The critical limitation of Basic auth is that the only way to revoke access is to change the password. With a token, you can invalidate a single leaked token. With Basic auth, changing the password disconnects everyone using that account. You can't assign granular permissions or set expiration times.
| Scenario | Verdict | Reason |
|---|---|---|
| Locking down an entire staging or dev server | Good fit | Just a couple of lines of config. Blocks search engine indexing and external access at the same time. |
| A second layer of protection for an admin panel | Good fit | Adds an extra barrier separate from the application's own login. Use with HTTPS and IP allowlisting. |
| Internal monitoring dashboard | Conditional | Requires HTTPS. As accounts are often shared by a team, managing access for departing employees is difficult. |
| Internal server-to-server API calls | Conditional | Possible, but rotating keys is cumbersome. A token-based approach is better. |
| Public API for end-users | Poor fit | No individual revocation, granular permissions, or expiration. Use Bearer tokens (OAuth). |
| Embedding credentials in a mobile app | Poor fit | Apps can always be decompiled. The moment they're embedded, they're public. |
How to Actually Use This with nginx (and This Tool's Limits)
This is a common point of confusion. This tool generates the `Authorization` header value that a *client* sends. It does not create the password file (`.htpasswd`) that lives on the server. That file stores passwords as hashes, not Base64, so it can't be created with this tool. You need the `htpasswd` command for that.
- If you lock down health check or webhook endpoints, external service integrations will silently fail. Create exception `location` blocks for them.
- If you use Basic auth to protect a staging site, `robots.txt` or `noindex` tags are effectively redundantโcrawlers will also get a 401.
- A `WWW-Authenticate` header in the 401 response is what triggers the browser's login pop-up. If you're building an API and don't want this pop-up, return a 403 instead, or omit that header.
# 1) Server: Create the password file (using bcrypt)
sudo apt install apache2-utils
sudo htpasswd -B -c /etc/nginx/.htpasswd admin
sudo chmod 640 /etc/nginx/.htpasswd
# 2) nginx configuration
location /admin/ {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://127.0.0.1:3000;
# Clear the header so the backend app doesn't mistake it for its own auth
proxy_set_header Authorization "";
}
# 3) Client: Test with the header from this tool
curl -I -H 'Authorization: Basic YWRtaW46...' https://example.com/admin/
Colons in Usernames, Non-ASCII in Passwords โ The Silent Failures
The credential string is formed by joining "username:password". Because the first colon is the delimiter, if a username contains a colon, most servers will interpret everything before it as the username and the rest as part of the password. This is a violation of the spec, and this tool warns you if the username contains a colon. Conversely, passwords *can* contain colonsโthe decode tab also splits only at the first one.
Passwords with non-ASCII characters, like Korean, are more subtle. This tool encodes them as UTF-8, but some clients (like the browser's native pop-up) or older server implementations may still handle them as Latin-1. If the two sides interpret the encoding differently, you'll get into a "password is definitely correct but login fails" situation. This is one of the hardest bugs to track down, so it's safest to create Basic auth accounts using only ASCII characters.
The Difference Between the Two curl Examples
The curl examples below the result show two different methods. The first uses `-H` to supply the full header manually, while the second uses `-u` to let curl handle the encoding. The result is the same, but they leave different traces.
The `-u` flag is convenient, but it leaves the password in your shell history. On a shared server, it can also be visible to other users via the `ps` command while running. For automated scripts, it's safer to store the credentials in an environment variable or a `.netrc` file and reference them from there.
# To avoid saving to history (many shells don't log commands starting with a space)
curl -u 'admin:s3cr3t' https://example.com/admin/
# Using an environment variable
export API_CRED="admin:s3cr3t"
curl -u "$API_CRED" https://api.example.com/v1/orders
# ~/.netrc (requires permissions 600)
# machine api.example.com login admin password s3cr3t
curl --netrc https://api.example.com/v1/orders
Frequently asked questions
Is Basic authentication secure?
No, it is not encryption. It's Base64 encoding, which is easily reversible. For security, you must use Basic auth only over an HTTPS connection.
Are my username and password sent to your server?
No. All encoding and decoding happens entirely within your browser. No information you enter is ever sent to or stored by our servers.
How do I use the curl example?
The tool generates two `curl` commands. The `-H` option passes the full header string, while the `-u` option lets `curl` do the encoding for you. Copy whichever you prefer.
Can I use special characters or other languages?
Yes. This tool correctly encodes all characters, including non-English ones, as UTF-8. The server receiving the request must also be configured to interpret credentials as UTF-8.