Build an HTTP Basic Authentication header from a username and password, or decode an existing token to extract credentials — with a live step-by-step breakdown.
btoa()Basic HTTP Basic Authentication is the simplest standardized access-control mechanism for web APIs and services, defined in RFC 7617. It works by combining a username and password into a single string, encoding it with Base64, and sending it in the Authorization HTTP request header on every call. Because the scheme is stateless, no sessions or cookies are required — the server validates credentials on each request independently.
Basic Auth is natively supported by browsers, curl, Postman, HTTPie, and virtually every HTTP client and server framework. Its simplicity is its main asset — but also its main limitation: since Base64 is an encoding scheme and not encryption, Basic Auth credentials are trivially reversible. Always use HTTPS (TLS) when transmitting Basic Auth headers to prevent credentials from being captured in transit.
Constructing an Authorization: Basic header is a three-step process:
:, for example admin:secret123. The username must not itself contain a colon; the password may.YWRtaW46c2VjcmV0MTIz.Basic (note the trailing space) and send the full header: Authorization: Basic YWRtaW46c2VjcmV0MTIz.The tool above performs all three steps live as you type, displaying every intermediate value in a monospace panel so you can understand exactly what the server receives — and copy any step individually.
Basic Auth is the right tool in several concrete scenarios:
.npmrc, pip.conf, settings.xml).-u username:password flag in curl builds and sends the Basic Auth header automatically.For user-facing authentication — login forms, mobile apps, public APIs — prefer OAuth 2.0, API tokens with expiry, or session cookies with CSRF protection. These schemes allow credential rotation, scoped access, and revocation without changing a hard-coded password everywhere it is used.
Because Base64 provides no confidentiality, any Basic Auth token can be decoded instantly by anyone who captures it. This makes the Decode tab practically useful in several situations: inspecting HTTP traffic in browser Tools Searcher, reviewing historical API logs, auditing credentials in configuration files, or debugging authentication failures where you want to confirm the exact username and password the client is sending.
Paste the raw Base64 token, the Basic <token> string, or the entire Authorization: Basic <token> header line — the decoder strips any prefix automatically and always splits on the first colon, correctly preserving colons inside the password.
Every major HTTP client has native Basic Auth support:
curl -u admin:secret https://api.example.com/data'Authorization': 'Basic ' + btoa('admin:secret')requests.get(url, auth=('admin', 'secret'))req.SetBasicAuth("admin", "secret")http -a admin:secret GET https://api.example.com/dataUsername: admin · Password: secret123
Combined: admin:secret123
Base64: YWRtaW46c2VjcmV0MTIz
Header: Authorization: Basic YWRtaW46c2VjcmV0MTIz
Some services use an empty username with an API key as the password:
Combined: :ghp_myGitHubToken
Base64: OmdocF9teUdpdEh1YlRva2Vu
Header: Authorization: Basic OmdocF9teUdpdEh1YlRva2Vu
Username: user · Password: p:a:s:s
Combined: user:p:a:s:s
Split rule: first colon only — password is preserved as p:a:s:s
Base64: dXNlcjpwOmE6czpz
curl automatically encodes credentials passed with -u:
curl -u admin:secret123 \
https://api.example.com/v1/usersThis is equivalent to setting Authorization: Basic YWRtaW46c2VjcmV0MTIz manually.
No. Base64 is a binary-to-text encoding scheme — it is completely reversible and provides zero confidentiality. Anyone who captures an Authorization: Basic header can decode it in milliseconds. Basic Auth is only safe when the underlying transport is encrypted with TLS (HTTPS). Never send Basic Auth credentials over plain HTTP in production.
RFC 7617 explicitly handles this: the combined string is split on the first colon only. So user:p:a:s:s correctly decodes to username user and password p:a:s:s. Colons in the password are fully preserved. Colons in the username are not allowed by the specification.
RFC 7617 recommends UTF-8 encoding for credentials. This tool uses encodeURIComponent() before btoa() when encoding, and decodeURIComponent(escape(atob(...))) when decoding, which correctly handles any Unicode character in both username and password fields.
Both use the Authorization header but with different schemes. Basic sends Authorization: Basic <base64(user:pass)> — raw credentials on every request. Bearer sends Authorization: Bearer <token> — typically a JWT or opaque token obtained after an initial login. Bearer tokens can expire, carry scopes, and be revoked without changing the underlying password, making them more flexible for most modern API use cases.
When a server requires authentication and receives an unauthenticated request, it returns HTTP 401 Unauthorized with a WWW-Authenticate: Basic realm="My App" header. This signals which authentication scheme to use and identifies the realm (the protected area). The client then resends the request with the correct Authorization: Basic … header.
No. All encoding and decoding runs entirely in your browser using the built-in btoa() and atob() JavaScript functions. Nothing is transmitted to any external server. You can verify this by opening your browser's Tools Searcher Network tab while using the tool — you will see no outgoing requests triggered by your input.
Yes. The decoder accepts three input formats: the raw Base64 token alone, the Basic <token> string, or the complete Authorization: Basic <token> header line. The prefix is stripped automatically regardless of casing.
It depends on context. Basic Auth is acceptable for machine-to-machine communication over HTTPS — CI pipelines, internal APIs, package registry authentication. It is not recommended for user-facing login flows: the credentials are permanent, sent on every request, cannot be scoped, and credential rotation requires updating every client. For those cases prefer OAuth 2.0, API tokens with expiry, or session-based auth with CSRF protection.