What is Base64 in HTTP Basic Authentication?

HTTP Basic Authentication, defined in RFC 7617, uses Base64 encoding to transmit user credentials in HTTP request headers. It is one of the simplest authentication schemes but has important security considerations. How it works: 1. The client combines the username and password with a colon separator: username:password. 2. This string is Base64-encoded: dXNlcm5hbWU6cGFzc3dvcmQ=. 3. The encoded string is sent in the Authorization header with the Basic prefix. http GET /api/resource HTTP/1.1 Hos

Base64 in HTTP Basic Authentication

How HTTP Basic Authentication uses Base64 to encode credentials. Learn the format, security implications, and proper implementation with HTTPS.

Format

Detailed Explanation

HTTP Basic Authentication, defined in RFC 7617, uses Base64 encoding to transmit user credentials in HTTP request headers. It is one of the simplest authentication schemes but has important security considerations.

How it works:

The client combines the username and password with a colon separator: username:password.
This string is Base64-encoded: dXNlcm5hbWU6cGFzc3dvcmQ=.
The encoded string is sent in the Authorization header with the Basic prefix.

GET /api/resource HTTP/1.1
Host: api.example.com
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Constructing the header in various languages:

JavaScript:

const credentials = btoa(`${username}:${password}`);
fetch(url, {
  headers: { "Authorization": `Basic ${credentials}` }
});

Python:

import base64, requests
credentials = base64.b64encode(f"{username}:{password}".encode()).decode()
requests.get(url, headers={"Authorization": f"Basic {credentials}"})
# Or simply: requests.get(url, auth=(username, password))

cURL:

curl -u username:password https://api.example.com/resource
# curl automatically Base64-encodes and adds the header

Security considerations:

Base64 is NOT encryption. Anyone who intercepts the Authorization header can trivially decode the credentials:

atob("dXNlcm5hbWU6cGFzc3dvcmQ=") // "username:password"

This is why HTTP Basic Auth MUST always be used over HTTPS (TLS). The encryption happens at the transport layer, not in the encoding. Without HTTPS, credentials are sent in plaintext (Base64 is just a text representation, not protection).

When Basic Auth is appropriate:

Server-to-server API calls where both sides are under your control and use HTTPS.
Internal tools and development environments.
Simple integrations where OAuth would be overkill.

When to avoid Basic Auth:

User-facing login forms (use session-based auth or OAuth instead).
APIs where credentials would need to be stored in client-side code.
Any context where HTTPS cannot be guaranteed.

Common mistake: Including the colon in the password. The RFC states that the username must not contain a colon, but the password may. The split happens at the first colon only: admin:p4ss:word is username admin with password p4ss:word.

Use Case

Authenticating API requests to a payment gateway that requires HTTP Basic Authentication with the API key as the username and an empty password.

Try It — Base64 Encoder

Open full tool →

Base64 in HTTP Basic Authentication

Detailed Explanation

Use Case

Try It — Base64 Encoder

Related Topics