How does HTTP Basic auth work?

The client sends an Authorization header of the form Basic , where the token is the Base64 encoding of username:password. The server decodes it and checks the credentials. Base64 is not encryption - it is trivially reversible - so Basic auth is only safe over HTTPS, where the whole request including the header is encrypted in transit.

Is Basic auth secure?

Over HTTPS it is acceptable for machine-to-machine and internal tools, because the connection encrypts the header. Over plain HTTP it is unsafe - anyone on the path can read the credentials by decoding the Base64. Never use Basic auth without TLS, and prefer tokens or OAuth for user-facing apps where you do not want to send the password on every request.

Is my password sent anywhere?

No. The encoding happens entirely in your browser - your username and password are never sent to a server by this tool. It is just Base64 of username:password, computed locally.

Free tool · Runs in your browser · Nothing uploaded

Basic auth header.

Turn a username and password into an Authorization: Basic header and the matching curl command — or decode a Basic header back to credentials. All local; your password never leaves the page.

Username

Password

Authorization header

curl with header

curl with -u

Base64 is not encryption — Basic auth is only safe over HTTPS.

Simple, and only safe with TLS

Basic auth is the simplest thing that works: Base64 of user:password in a header. That simplicity makes it perfect for scripts, internal tools, and machine-to-machine calls — and dangerous the moment it crosses plain HTTP, because anyone on the wire can decode it instantly. The rule is short: Basic auth is fine over HTTPS and never acceptable without it. For user-facing apps, reach for tokens so you are not replaying the password on every request.

Related free tools

Production-ready checkerScore your deploy Deploy error decoderDecode any deploy error CORS config generatorFix CORS the right way Cache-Control builderBuild a Cache-Control header

All free tools →

Free tools for the backend you run.

One of a set of free developer tools from Infraveil — the control plane for running, securing, and watching your backend on servers you own. Browse the rest, no signup.

See all free tools

Get the backend toolkit

Practical tools and guides for shipping and running a backend you own. No spam.