Generate an Authorization: Basic ... header from a username and password, or decode an existing one. Includes a ready-to-paste cURL command. Nothing leaves your browser.
HTTP Basic Auth sends the username and password as Base64 in every request. Anyone capturing the request — proxies, server logs, browser dev tools — can decode them instantly. Always use HTTPS with Basic Auth, and prefer OAuth or API keys for production systems.
The client sends an Authorization header with "Basic " followed by Base64-encoded "username:password". The server decodes it and checks the credentials. It is the simplest authentication scheme in HTTP, defined in RFC 7617.
Only when used over HTTPS. Base64 is not encryption — anyone capturing the request can decode it instantly back to plain credentials. For production systems, prefer OAuth 2.0, JWT bearer tokens, or API keys. Basic Auth is suitable for internal tools, scripts, and quick integrations behind TLS.
The colon is the separator the server uses to split the decoded string back into username and password. RFC 7617 specifies that the username cannot contain a colon, but the password can — the server splits only on the first colon.
Yes. UTF-8 is the standard encoding. Our tool encodes the entire "username:password" string as UTF-8 before Base64 encoding, which handles all Unicode characters correctly.