Username plus password into Authorization Basic base64, with curl -u and -H examples, plus reverse decoding, all in your browser
- Runs locally
- Category Developer & DevOps
- Best for Formatting, validating, shrinking, or inspecting code-adjacent text.
Authorization: Basic Og==Og==curl -u ':' https://api.example.comcurl -H 'Authorization: Basic Og==' https://api.example.comRuns only in your browser. The password is never written to the share link.
What this tool does
Free HTTP Basic auth header generator. Type a username and password and read back the full `Authorization: Basic <token>` line, the bare base64 token on its own, and two ready-to-paste curl examples — one with the `-u user:pass` shorthand and one with the explicit `-H` header. The token is base64 of `user:password` encoded as UTF-8 bytes per RFC 7617, so a Chinese, Cyrillic, or emoji-laden credential encodes correctly instead of mangling into question marks.
The decode tab runs the same machine backwards. Paste a bare base64 token, a `Basic ...` value, or a whole `Authorization: Basic ...` header copied from a log or a `.netrc`, and the tool splits it back into the username and password. It splits on the first colon only, so a password that itself contains colons survives intact. Everything happens in your browser tab through the native `btoa`/`atob` and `TextEncoder` APIs, and the password is deliberately kept out of the shareable link.
Tool details
- Input
- Text
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- Shareable URL state
- Key settings are encoded in the URL so another person can reopen the same setup.
- Performance budget
- Initial JS <= 9 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Developer & DevOps · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How Basic Auth Header Generator fits into your work
Use it in the small gaps between coding, reviewing, debugging, and shipping.
Developer jobs
- Formatting, validating, shrinking, or inspecting code-adjacent text.
- Preparing snippets for documentation, tickets, commits, or handoff.
- Checking a small payload quickly without switching tools.
Developer checks
- Run irreversible transforms like minify or obfuscate on a copy.
- Keep secrets out of pasted snippets unless the tool explicitly stays local.
- Use your normal tests or linter before shipping transformed code.
Good next steps
These links move the current task into a more complete workflow.
- 1 Base64 Encoder & Decoder Encode or decode Base64 — text, files, and Data URLs. Runs entirely in your browser. Open
- 2 JWT Encoder Encode JWT — pick algorithm (HS256/HS384/HS512), set header/payload/secret, get token. Open
- 3 HMAC Generator HMAC-SHA1/256/384/512 — message + secret key, output in hex and base64, key read as UTF-8/hex/base64 — 100% in-browser Open
Real-world use cases
Hand-build an Authorization header for an API request
You are wiring up a script against an internal API that wants Basic auth and the docs only say "send your username and password". Type them in, copy the `Authorization: Basic ...` line, and drop it straight into your HTTP client headers. No guessing about whether the colon goes inside or outside the base64, and no off-by-one padding mistakes from encoding it in your head.
Decode a credential out of a captured request or log
A request is failing and all you have is the raw header line from a proxy log: `Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l`. Paste it into the decode tab and read the username and password back out in one step, so you can confirm the client is sending the account you think it is rather than a stale or wrong one.
Build a working curl command for a teammate
Someone on the team needs to reproduce a call but does not have your auth helper. Generate both the `-u user:pass` and the explicit `-H` curl examples, paste the one that fits their setup into chat, and they can run it as-is. The header form is the safer share because it does not echo the raw password back as a separate argument.
Verify a non-ASCII credential encodes the way a server expects
Your password has accented characters or you are testing a Chinese username and the server keeps rejecting the login. Encode it here, confirm the UTF-8 token, then decode it back to be sure the round trip is clean. If the server still rejects it, you have ruled out the token and narrowed the bug down to the server's charset handling.
Common pitfalls
Putting a colon in the username. The first colon is the separator between user and password, so a username with a colon decodes wrong. Only the password may safely contain colons. If your account name has a colon, the server has to support a different scheme.
Treating base64 as a security layer. The token is trivially reversible, as the decode tab proves, so Basic auth over plain HTTP exposes the password to anyone on the wire. Always run Basic auth over HTTPS and never paste a real production credential into any online encoder.
Encoding the credential with the wrong charset. If your shell or editor encodes non-ASCII characters as something other than UTF-8, the token differs from what the server expects and the login silently fails. This tool always uses UTF-8 so the token is reproducible across machines.
Privacy
The encoding and decoding both run as plain JavaScript inside your browser tab through the native `btoa`, `atob`, and `TextEncoder` APIs. No username, password, token, or header ever leaves the page or hits a server, and nothing is logged. The username can be carried in the shareable URL for convenience, but the password is deliberately never written to the link. As a habit, do not paste real production credentials into any online tool — generate the format with a throwaway value, then swap in the real secret locally.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- 555 Timer Calculator Astable f = 1.44/((R1+2R2)C) + monostable t = 1.1RC — pick R1, R2, C in Ω/kΩ and µF/nF, read frequency, duty cycle and pulse width — browser-only
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- AES Text Encryptor Encrypt & decrypt text with a password — AES-256-GCM + PBKDF2 via WebCrypto — 100% in your browser, nothing uploaded
- Affine Cipher Encoder & Decoder Encrypt and decrypt the ax+b affine cipher with live modular-inverse check, browser-only