HTTP Basic Auth Header Generator
Enter a username and password to build an HTTP Basic Authorization header. You get the base64 credential, the full header line and copy-ready curl commands. Everything is generated in your browser.
How to generate a Basic Auth header
- Type the username and password (the password may be empty).
- Read the base64 value and the Authorization: Basic header line.
- Copy the header or one of the curl commands into your request.
Examples
admin / secret
username: admin, password: secret
Authorization: Basic YWRtaW46c2VjcmV0
RFC 7617 example
username: Aladdin, password: open sesame
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Frequently asked questions
How is an HTTP Basic Auth header built?
The username and password are joined with a single colon as username:password, that string is encoded to base64, and the result is sent as the header Authorization: Basic <base64>. This tool does exactly that, UTF-8 safe.
Is Basic Auth encrypted or secure?
No. Base64 is encoding, not encryption, so anyone who sees the header can decode your username and password instantly. Only use Basic Auth over HTTPS, where TLS protects the header in transit.
Should I paste my production credentials here?
No. Do not paste real production or long-lived credentials into any online tool, including this one. Use throwaway or test values, then build the header for production secrets locally or in your own environment.
Is my username and password private?
Yes. The header is generated entirely in your browser using JavaScript. Nothing you type is uploaded to a server, logged or stored. Even so, treat secrets carefully and avoid real credentials.
Can the password be empty or contain a colon?
The password can be empty and can contain colons, because only the first colon separates the username from the password. The username itself must not contain a colon, so the tool rejects one that does.
What is the https://user:pass@host URL form?
It is a legacy way to embed credentials directly in a URL. It is deprecated: modern browsers strip the credentials and many tools reject it, so prefer the Authorization header. The tool shows this form only for reference.
Does it handle accents and other unicode characters?
Yes. The credentials are encoded as UTF-8 before base64, so accented letters, emoji and other multi-byte characters are encoded correctly and decode back to the exact original.
Related tools
Base64 Encode
Encode text to Base64 online. UTF-8 safe, handles emoji and accents, with an optional URL-safe (base64url) mode. Runs in your browser, nothing uploaded.
JWT Decoder
Decode a JSON Web Token to read its header and payload claims. Shows exp, iat and nbf as dates. Runs in your browser. No signature check.
Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text. Live, lowercase hex output that runs entirely in your browser.
.env to JSON
Convert a .env file to JSON, or JSON back to .env. Parses KEY=value lines, comments, quotes and export. Runs entirely in your browser.
Aspect Ratio Calculator
Calculate aspect ratios fast. Enter a ratio like 16:9 and one dimension to get the other, or enter width and height to simplify the ratio.
Base58 Encoder
Encode and decode Base58 online with the Bitcoin alphabet. Convert text to Base58 or back, UTF-8 safe, no confusing 0 O I l. Runs in your browser.