HTTP Basic authentication sends your username and password as a base64-encoded `user:pass` string.
HTTP Basic authentication sends your username and password as a base64-encoded `user:pass` string.
curl -u alice:s3cret https://api.example.com/private
# curl builds the header for you; equivalent to:
# -H 'Authorization: Basic YWxpY2U6czNjcmV0'const creds = btoa('alice:s3cret'); // base64
const res = await fetch('https://api.example.com/private', {
headers: { Authorization: `Basic ${creds}` }
});import requests
from requests.auth import HTTPBasicAuth
res = requests.get('https://api.example.com/private',
auth=HTTPBasicAuth('alice', 's3cret'))
# shorthand: auth=('alice', 's3cret')The header value is `Basic base64(user:pass)`. Base64 is encoding, not encryption, and anyone can reverse it, so Basic auth must run over HTTPS only; over plain HTTP the credentials are effectively in the clear.
curl's `-u user:pass` builds the header for you. Typing the password on the command line leaves it in shell history and the process list, so prefer `-u user` (prompt) or a `.netrc` file. In the browser, `btoa` only handles Latin-1, so encode Unicode credentials as UTF-8 first.
On failure you get 401 plus a `WWW-Authenticate: Basic realm="..."` header, which is what makes browsers show a login popup. Because it is stateless and resends credentials on every request, prefer token-based (Bearer) auth where you can.