Basic

Overview

HTTP Basic authentication (RFC 7617) is the simplest scheme: it joins a username and password with a colon, Base64-encodes the result, and sends it in the Authorization header on every request. With no session or token-issuance step, it is trivial to implement and still common for internal tools, health checks, and proxy authentication.

Transport

Authorization: Basic base64(user:password)

Details

The flow has three steps. First, requesting a protected resource without credentials returns 401 Unauthorized plus a `WWW-Authenticate: Basic realm="..."` header. Second, the client builds the string `user:password` and Base64-encodes it. Third, it retries with `Authorization: Basic <encoded>`. From then on the client typically resends that header on every subsequent request.

The realm names a protection space that shares the same credentials; browsers cache credentials per realm. The identical mechanism repeats one hop up at the proxy layer via 407 Proxy Authentication Required with the `Proxy-Authenticate` and `Proxy-Authorization` headers.

The single biggest misconception is treating Base64 as encryption. Base64 is a reversible encoding that anyone can decode instantly, not a cipher. Basic auth is therefore only safe over HTTPS (TLS); over plain HTTP the password is effectively sent in the clear.

Request / Response example

Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

In code

curl -u alice:s3cret https://api.example.com/me
# equivalently:
curl -H 'Authorization: Basic YWxpY2U6czNjcmV0' https://api.example.com/me
const creds = btoa(`${user}:${pass}`);
fetch('/me', { headers: { Authorization: 'Basic ' + creds } });
import base64
raw = request.headers['Authorization'].split(' ', 1)[1]
user, pw = base64.b64decode(raw).decode().split(':', 1)
if not verify(user, pw):
    return Response(status=401, headers={'WWW-Authenticate': 'Basic realm="api"'})

Security considerations

Related headers

AuthorizationWWW-AuthenticateProxy-AuthenticateProxy-Authorization

Related status codes