Basic Auth Encoder / Decoder

Encode credentials to HTTP Basic Authentication headers and decode them back.

Home
> Encoder & Decoder >
Basic Auth Encoder / Decoder

Encode

Username:

Password:

Authorization Header:

Base64 Token (without Basic prefix):

Decode

Authorization Header or Base64 Token:

Decoded Username:

Decoded Password:

Show password

What is HTTP Basic Authentication?

HTTP Basic Authentication is a simple authentication scheme defined in RFC 7617 that allows a client to send credentials (username and password) in an HTTP request using the Authorization header.

The format is: Authorization: Basic <base64> where the Base64 value is the username:password string encoded in Base64. For example, admin:password123 becomes YWRtaW46cGFzc3dvcmQxMjM=, resulting in the header Authorization: Basic YWRtaW46cGFzc3dvcmQxMjM=.

Important Security Notes

Basic Auth sends credentials in plaintext (Base64 is not encryption)
Always use HTTPS when using Basic Authentication
Consider using more secure alternatives like Bearer tokens or OAuth 2.0
Credentials are sent with every request, increasing exposure risk

How to Use This Basic Auth Encoder/Decoder

Encode — Enter a username and password on the left, then click Encode to generate the Authorization header and Base64 token.
Decode — Paste an Authorization header (with or without the Basic prefix) or a raw Base64 token on the right, then click Decode to extract the credentials.
Show password — Toggle to reveal/hide the password field.
Swap — Click Swap to exchange encode/decode values.

Common Use Cases

API testing — Generate Authorization headers for testing REST APIs that use Basic Authentication in tools like Postman or cURL.
Web scraping — Create Basic Auth headers for accessing password-protected web resources programmatically.
Debugging — Decode Basic Auth headers from HTTP request logs or proxy captures to verify credentials.
Security auditing — Inspect captured Authorization headers to check if credentials are exposed in plaintext.
Configuration — Generate Basic Auth tokens for server configuration files, CI/CD pipelines, or automation scripts.

Frequently Asked Questions

Is Basic Authentication secure?

Basic Authentication sends credentials as Base64-encoded text, which is not encrypted. Base64 is encoding, not encryption — anyone who intercepts the request can decode the credentials instantly. Always use HTTPS to encrypt the entire connection when using Basic Auth.

What is the format of the Authorization header?

The standard format is: Authorization: Basic <base64> where the Base64 value is the Base64 encoding of username:password. The colon between username and password is required. The Basic keyword is case-insensitive but conventionally capitalized.

Can I use special characters in username or password?

Yes. The username and password are concatenated with a colon and then Base64-encoded, so any characters (including Unicode) are supported. The tool correctly handles UTF-8 encoding for special characters.

Does this tool work with the Bearer scheme too?

No. This tool is specifically for the Basic authentication scheme. For Bearer tokens (JWT), please use the JWT Decoder & Validator tool.

Is this tool safe for sensitive credentials?

Yes. All encoding and decoding happens entirely in your browser using JavaScript. No data is sent to any server. Your credentials never leave your device.