Basic auth generator

Generate an Authorization: Basic header

All computation runs locally in your browser

Last updated: January 30, 2026

CreatorFrank Zhao

Username

Password

Authorization header:

Authorization: Basic Og==

Introduction / Overview

The Basic Auth Generator creates an HTTP header you can paste into tools like curl, Postman, or your API client. It takes a username and password, combines them, Base64-encodes the result, and formats the header string.

Basic Auth is not encryption.

Base64 is an encoding (easy to decode), so only use Basic Auth over HTTPS and prefer stronger auth methods when possible.

If youre working with Base64 often, the Base64 String Encoder/Decoder is a handy companion for debugging values.

How to Use / Quick Start Guide

Enter your username

This is usually the API user, email, or service account name.

Enter your password

Often an API token, app password, or plain password (depending on the system).

Copy the Authorization header

Paste it into your request headers exactly as shown.

Worked example (step-by-step)

Suppose your username is $\text{user}$ and your password is $\text{pass}$ .

\text{token}

=

\mathrm{Base64}(\text{user:pass})

=

\text{dXNlcjpwYXNz}

\text{Authorization}

=

\text{Basic }\text{dXNlcjpwYXNz}

In other words, the header you send is literally the word $\text{Basic}$ followed by a space and the Base64 token.

If you see an empty output like $\text{Basic }\text{Og==}$ , it usually means you entered neither username nor password.

Real-World Examples / Use Cases

Quick curl test for a staging API

Background: You want to verify that your staging endpoint is up.

Inputs: username $\text{staging-user}$ , password $\text{s3cret}$ .

\text{Authorization: Basic }

\mathrm{Base64}(\text{staging-user:s3cret})

How you use it: Paste the header into your curl command or request tool.

Postman header for a self-hosted service

Background: A service behind a reverse proxy is protected by Basic Auth.

Inputs: username $\text{admin}$ , password $\text{my-app-password}$ .

Result: The generator outputs a full header you can paste directly into Postmans Headers tab.

Debugging a failing 401 response

Background: Requests return 401 even though credentials look right.

What to check: Decode the token using the Base64 String Encoder/Decoder to confirm the string is exactly $\text{username:password}$ .

Common fix: Make sure theres no extra whitespace and that you didnt swap the fields.

Using an API token as the password

Background: Some APIs accept a token in the password slot.

Inputs: username $\text{any-non-empty-user}$ , password $\text{token\_123}$ .

How it helps: You avoid formatting mistakes and keep the header consistent across tools.

Common Scenarios / When to Use

You need the exact header format

Some tools expect the full string

\text{Authorization: Basic ...}

rather than just the token.

Youre debugging auth failures

Generate, copy, then decode with our Base64 String Encoder/Decoder to confirm the payload.

Youre configuring a proxy or gateway

Many reverse proxies use Basic Auth for lightweight protection on staging or internal dashboards.

You want a quick local workflow

This generator runs in-browseruse it without sending your credentials to a server.

You test endpoints via CLI

Fast copy/paste into curl headers avoids typos and keeps scripts consistent.

Youre integrating an older system

Legacy services sometimes only support Basic Auth. This tool helps you produce the header reliably.

When this tool might not be appropriate:

If you cannot guarantee HTTPS for requests.
If your organization requires OAuth, SSO, mTLS, or signed tokens instead.

Tips & Best Practices

Always use HTTPS. Basic Auth values are easy to decode.
If auth fails, decode the token and confirm it is exactly $\text{username:password}$ (no extra spaces).
Prefer API tokens/app passwords instead of your main account password.
Avoid screenshots when the header contains sensitive values. Copy/paste is safer.

Pro tip: verify with decoding

Copy only the Base64 part, decode it, and confirm it matches your expected $\text{username:password}$ string. If you want a quick decoding workflow, open our Base64 String Encoder/Decoder in a second tab.

Calculation Method / Formula Explanation

\text{Authorization} = \text{Basic }\mathrm{Base64}(\text{username:password})

(the token is the Base64 encoding of username + colon + password)

The core steps are:

Build the credential string $\text{username:password}$ .
Base64-encode it into a token.
Prefix it with $\text{Authorization: Basic }$ .

Related Concepts / Background Info

Base64 (encoding vs encryption)

Base64 is designed to represent bytes as printable characters, not to keep secrets. If someone can see your header, they can decode it.

Why a colon matters

The payload is strictly $\text{username:password}$ . If the username contains a colon, it becomes ambiguous and may break authentication.

Other tools you may need

If youre constructing URLs that include credentials (not recommended), our URL parser can help you inspect the username/password fields.

Frequently Asked Questions (FAQs)

Is Basic Auth secure?

Its only as secure as your transport. Basic Auth uses Base64 encoding, so it must be protected by HTTPS. Think of it as a convenient header format, not encryption.

Why does the header change when I change one character?

Base64 encodes the full string $\text{username:password}$ . Any change in input changes the encoded output.

What does an output like Og== mean?

$\text{Og==}$ is Base64 for $\text{:}$ . That typically means both username and password are empty.

Can I use an API token instead of a password?

Often yes. Many services treat the password field as some secret which can be a token.

How do I verify the header is correct?

Copy the Base64 part and decode it in our Base64 String Encoder/Decoder to confirm it equals $\text{username:password}$ .

Limitations / Disclaimers

This tool formats headers and encodes text with Base64. It does not validate credentials, perform authentication, or provide security guarantees.

Avoid using Basic Auth over plain HTTP, and avoid sharing generated headers in public places (screenshots, tickets, chat logs).

External References / Sources

RFC 7617 The Basic HTTP Authentication Scheme
https://www.rfc-editor.org/rfc/rfc7617
MDN HTTP authentication
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

Related Calculators

Chronometer

Use a simple chronometer (stopwatch) to track elapsed time down to milliseconds. Runs locally in your browser.

Try Now

Email normalizer

Normalize email addresses to a standard format for easier comparison. Useful for deduplication and data cleaning. Runs locally in your browser.

Try Now

ETA calculator

Estimate the time needed to consume a total amount at a constant rate, and get an expected end time. Runs locally in your browser.

Try Now

JWT parser

Parse and decode your JSON Web Token (JWT) and display its content. All computation runs locally in your browser.

Try Now

MIME types

Know which file extensions are associated to a MIME type, and which MIME type is associated to a file extension. Includes a full MIME types table.

Try Now

Lorem ipsum generator

Generate random Lorem Ipsum placeholder text with customizable paragraphs, sentences, and word counts. Runs locally in your browser.

Try Now