Use Basic authentication

HTTP Basic authentication sends your username and password as a base64-encoded `user:pass` string.

Overview

HTTP Basic authentication sends your username and password as a base64-encoded `user:pass` string.

In code

curl -u alice:s3cret https://api.example.com/private

# curl builds the header for you; equivalent to:
# -H 'Authorization: Basic YWxpY2U6czNjcmV0'
const creds = btoa('alice:s3cret'); // base64
const res = await fetch('https://api.example.com/private', {
  headers: { Authorization: `Basic ${creds}` }
});
import requests
from requests.auth import HTTPBasicAuth

res = requests.get('https://api.example.com/private',
                   auth=HTTPBasicAuth('alice', 's3cret'))
# shorthand: auth=('alice', 's3cret')

Details

The header value is `Basic base64(user:pass)`. Base64 is encoding, not encryption, and anyone can reverse it, so Basic auth must run over HTTPS only; over plain HTTP the credentials are effectively in the clear.

curl's `-u user:pass` builds the header for you. Typing the password on the command line leaves it in shell history and the process list, so prefer `-u user` (prompt) or a `.netrc` file. In the browser, `btoa` only handles Latin-1, so encode Unicode credentials as UTF-8 first.

On failure you get 401 plus a `WWW-Authenticate: Basic realm="..."` header, which is what makes browsers show a login popup. Because it is stateless and resends credentials on every request, prefer token-based (Bearer) auth where you can.

Related headers

Related status codes