Basic Auth
Header Decoder
Instantly decode HTTP Basic Authentication headers to extract the username and password. Also encode credentials, build headers, and inspect auth tokens all privately in your browser.
Decoded username & password will appear here
Decode in Three Steps
No sign-up, no server contact. Paste and decode in seconds.
Paste the Header Value
Copy the Authorization header value from your browser DevTools, curl output, Postman, or API logs and paste it into the input field.
Click Decode
The tool strips the Basic prefix, Base64 decodes the payload, and splits the result on the first : to extract username and password.
Copy or Inspect
Copy the username and password individually with one click. A security warning is shown so you never accidentally expose credentials.
A Complete Basic Auth Toolkit
Decode, encode, and build HTTP Basic Auth headers everything in one private tool.
Smart Header Decoder
Accepts raw Base64, the full Basic … value, or a complete Authorization: Basic … header line the tool auto strips the prefix.
Credential Encoder
Enter a username and password and instantly generate the Base64 encoded token and the full Authorization header, ready to paste into any HTTP client.
Header Builder
Preview the full HTTP request header and copy a ready to run curl command complete with -H flag perfect for terminal testing.
100% Private
All processing runs locally in your browser. Your credentials never leave your device no logs, no server, works fully offline after page load.
Security Warnings
Decoded credentials are shown with a contextual security reminder helping you avoid accidentally sharing sensitive auth tokens.
One-Click Copy
Copy username, password, Base64 token, or the complete header value individually with single click copy buttons on every output field.
Real Basic Auth Header Examples
Common formats you'll encounter when working with APIs and HTTP clients.
Standard Authorization Header
Header → Credentialscurl Command with Basic Auth
curl → HeaderEmpty Password (API Key as Username)
API Key PatternWhen You Need to Decode Basic Auth
Basic Auth headers appear everywhere in API development from local testing to production debugging.
API Debugging & Testing
When reviewing HTTP request logs or network traces in DevTools, decode captured Authorization headers to verify the correct credentials are being sent by your client or SDK.
Postman & API Client Setup
Convert between raw Base64 tokens and username/password pairs when configuring authentication in Postman, Insomnia, or other API clients without manually encoding.
Reverse Engineering Legacy APIs
Inspect Basic Auth headers from older APIs or services to understand the credential format, scheme, and whether special characters in passwords are correctly encoded.
CI/CD & Automation Scripts
Generate and verify Base64 encoded auth tokens for use in shell scripts, GitHub Actions secrets, or CI pipelines that call authenticated REST APIs via curl or wget.
Security Auditing
During security reviews, quickly decode Basic Auth headers found in server logs, HAR files, or intercepted traffic to assess what credentials were exposed in plaintext.
Webhook & Callback Verification
Many webhook providers use Basic Auth for callback endpoint protection. Decode incoming headers to verify that the expected service credentials are present and correct.
The HTTP Authorization Standard
HTTP Basic Authentication (RFC 7617) is a simple authentication scheme built into the HTTP protocol. The client sends an Authorization header whose value is the word Basic followed by a Base64-encoded string of username:password.
Because Base64 is encoding not encryption any party who can read the HTTP header can trivially decode the credentials. This is why Basic Auth must always be used over HTTPS, never plain HTTP.
The colon (:) is the separator between username and password. Usernames may not contain colons, but passwords can the decode splits only on the first colon, preserving colons in passwords correctly.
Security Warning Basic Auth Is Not Encryption
Basic Auth encodes credentials using Base64 a reversible encoding, not encryption. Anyone who intercepts the Authorization header can decode the username and password in seconds, as this tool demonstrates.
Always use HTTPS when transmitting Basic Auth headers. Over plain HTTP, credentials are fully exposed to anyone on the network path. Consider moving to OAuth 2.0, API keys with token rotation, or JWT for better security in production systems.
This tool processes everything locally your credentials never leave your browser. It is intended for development, debugging, and educational purposes only.
Frequently Asked Questions
Everything you need to know about HTTP Basic Authentication.
Authorization: Basic … request header. It is built into HTTP and supported by virtually every HTTP client and server.Basic keyword identifies the authentication scheme. HTTP supports multiple authentication schemes (Bearer, Digest, NTLM, etc.), each with its own format. The word before the space tells the server which scheme is being used, so it knows how to parse and validate the credentials.dXNlcjpwYXNz), (2) the Basic Auth value with prefix (Basic dXNlcjpwYXNz), and (3) a full header line (Authorization: Basic dXNlcjpwYXNz). The prefix and header name are automatically stripped.atob and btoa functions. Your credentials are never transmitted anywhere. The tool works completely offline after the page loads safe to use with real credentials during development.-u flag: curl -u username:password https://api.example.com/. curl automatically Base64-encodes the credentials and adds the Authorization: Basic … header. Use the Header Builder tab to generate the exact header value or copy a ready-made curl command.