OPTools OP
Back to Blog
Developer Tools

Base64 Encode API Credentials for HTTP Basic Auth

2026-06-03 4 min read

HTTP Basic Authentication sends credentials as Base64-encoded username:password. Here is how it works and how to encode credentials correctly.

HTTP Basic Authentication has been around since the early web. It's still used by plenty of APIs today, including many payment processors and internal services. Understanding how it works helps you debug authentication issues and implement it correctly.

How HTTP Basic Auth works

When an API requires Basic Auth, it expects an Authorization header with your credentials. The credentials are formatted as username:password, then Base64-encoded, and prepended with Basic :

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Decoding dXNlcm5hbWU6cGFzc3dvcmQ= gives you username:password. The Base64 encoding is not encryption. It's just encoding.

Creating the header manually

// JavaScript (browser)
const credentials = btoa("myusername:mypassword");
const header = `Basic ${credentials}`;

// JavaScript (Node.js)
const credentials = Buffer.from("myusername:mypassword").toString("base64");

// Using fetch
fetch("https://api.example.com/data", {
  headers: {
    Authorization: `Basic ${btoa("myusername:mypassword")}`,
  },
});

With curl, you can pass credentials directly and it handles the encoding:

curl -u myusername:mypassword https://api.example.com/data
# Equivalent to:
curl -H "Authorization: Basic bXl1c2VybmFtZTpteXBhc3N3b3Jk" https://api.example.com/data

Security considerations

Because Base64 is trivially reversible, Basic Auth credentials are essentially sent in plain text. This means you must only use Basic Auth over HTTPS. Never over plain HTTP. If the connection is intercepted, the credentials are immediately readable by anyone who decodes the header.

Many APIs use Basic Auth with an API key as the username and an empty string or a fixed word like "api" as the password. Stripe does this: Authorization: Basic BASE64(sk_test_xxx:). The colon at the end is required even when the password is empty.

Encoding credentials for testing

When you need to generate the Base64-encoded credential string quickly for a curl command or a Postman header, use our Base64 Encoder. Type username:password, encode it, and prepend Basic .

base64 api authentication http basic-auth

More Articles

Developer Tools

Base64 Encoding Explained: What It Is and When to Use It

Developer Tools

5 Ways a JSON Formatter Makes Your Dev Life Easier