About Basic Auth Generator

Base64-encode user:pass into an HTTP Basic Authorization header. Part of the DevTools Surf developer suite. Browse more tools in the Networking collection.

Use Cases

• Backend devs generating auth headers for internal API testing
• DevOps engineers configuring webhook authentication headers
• QA testers setting up Authorization headers in Postman
• Developers authenticating against private Docker registries

Tips

• Paste username and password to get the full header value
• Output includes the base64-encoded user:pass format
• Copy the Authorization header directly into API requests

Fun Facts

• HTTP Basic Authentication was defined in the original HTTP/1.0 specification (RFC 1945) in 1996, making it one of the oldest web authentication schemes still in use.
• Basic Auth transmits credentials as base64 — not encryption — meaning it's only secure over HTTPS. Despite this, it remains widely used for internal APIs and CI/CD webhooks.
• The colon (:) is the only character that cannot appear in a Basic Auth username because it serves as the delimiter between username and password in the encoded string.

FAQ

What's HTTP Basic authentication?

Base64-encoded user:password in the Authorization header: `Authorization: Basic dXNlcjpwYXNz`. Defined in RFC 7617. Simple, universal, and unencrypted without HTTPS.

Is Basic auth secure?

Only over HTTPS. Base64 is encoding, not encryption — anyone who sees the header sees the password. Always use with TLS.

When should I use it?

Internal APIs, CI/CD webhooks, server-to-server calls where complexity budgets are low. For user-facing auth, use cookies or OAuth.