Encode HTTP Basic Auth Credentials Into an Authorization Header
Type a username and password and instantly get the Base64-encoded Authorization: Basic header your client needs. Everything runs in your browser — no credentials ever leave this page.
Authorization Header
Base64 token only
How the Authorization: Basic header is built
HTTP Basic Authentication is defined by RFC 7617. The scheme is deliberately simple, which is exactly why it is so widely used for internal APIs, registry logins, and quick scripts. This generator reproduces the algorithm step by step:
- Join the username and password with a single colon:
username + ":" + password. The username itself must not contain a colon — the first colon is the delimiter, and any later colons belong to the password. - Convert that string to bytes. RFC 7617 recommends UTF-8, so multi-byte characters (accents, emoji, CJK) are encoded before Base64. The tool does this by URI-encoding then mapping each percent-escape back to a raw byte, which produces correct UTF-8 octets in pure JavaScript.
- Base64-encode the byte sequence with the standard 64-character alphabet (
A–Z a–z 0–9 + /) and=padding. Every 3 bytes become 4 characters, so the token length is4 × ceil(n / 3)characters for n input bytes. - Prefix the literal scheme name:
Authorization: Basic <token>.
For example aladdin:opensesame is 18 ASCII bytes, so the token is 4 × ceil(18/3) = 24 characters with no padding: YWxhZGRpbjpvcGVuc2VzYW1l. Because Base64 is reversible, this header is encoding, not encryption — anyone who intercepts it can decode the password in one step. That is the single most important fact about Basic auth: it provides identification, not confidentiality, so it must only ever travel over HTTPS where TLS supplies the secrecy. The note below this tool flags weak inputs and reminds you when the credentials look guessable. Use it for testing, local services, and CI scripts — never paste production secrets into a header you log or commit.
Quick reference
| Item | Value |
|---|---|
| Scheme | Basic (RFC 7617) |
| Encoding | Base64 of user:pass bytes |
| Reversible? | Yes — decode-safe, not secure |
| Token length | 4 × ceil(bytes / 3) |
| Transport | HTTPS only |