Yes - free forever, no signup, no daily limit.

Where does my input go?

Nowhere. The conversion runs entirely in your browser. Nothing is uploaded, stored, or logged.

Does it work offline?

After first load yes. The page caches in your browser.

Are large inputs supported?

Yes up to several megabytes. The transforms are O(n) and the browser handles MBs in milliseconds.

Is the output exactly correct?

Yes - these are deterministic transforms. Same input always gives the same output.

Why use this instead of writing the conversion in Python or Node?

Speed and convenience. The tool is a tab away with a copy button and runs in milliseconds. Useful for one-off tasks where opening a REPL or a script file is overkill. For repeatable / scripted work, do write the Python or Node version.

Can I bookmark this for offline use?

Yes - load the page once, then bookmark. Modern browsers cache the page and any CDN libraries. You can disconnect from the internet and still use the tool. Works great as a tab kept open.

Will this work on every browser?

Yes on every browser released in the last 5 years - Chrome / Edge / Firefox / Safari / Opera all support the Web APIs (Crypto, Canvas, URL constructor) the tools depend on. Internet Explorer 11 and below are not supported.

Can I use the output in production code?

Yes - the math and encodings are standards-compliant. Copy the result into your code. The tool itself is just a front-end; the underlying algorithms (URL encoding, JSON parsing, base64, etc.) are the same browser primitives your code uses.

How is this different from a Chrome extension or VS Code plugin?

Same end result, lower friction. No install, no permission prompt, no extension store. Just paste, transform, copy. The trade-off: an extension can integrate deeper (right-click menu, inline edit) - this is for ad-hoc conversion.

Yes. It is free with no signup, no rate limit, and no paywall on advanced features.

Does it store my inputs?

No. Every calculation runs in your browser using JavaScript. The numbers and text you type never leave your device; we do not log or transmit form values.

Where do the formulas come from?

Formulas come from the canonical reference for the domain (the relevant tax authority, standards body, or peer-reviewed source). See /methodology for the full sourcing process and per-page citations.

What is HTTP Basic Auth Header Generator?

A HTTP Basic Auth Header Generator produces a http basic auth header on demand, using a deterministic algorithm or a cryptographically strong random source. Output is generated entirely in your browser so nothing is sent to a server. Combine username:password, base64-encode, output Authorization: Basic xxxxx header.

HTTP Basic Auth Header Generator

Generate HTTP Basic Auth headers from user + pass. Base64-encoded, ready to paste into curl, Postman, or fetch.

🔒 Browser-only ⚡ Instant 💸 Free forever 📡 Works offline 🚫 No signup

← Utilities

TLDR

Type a username, password, and click Generate. The page produces `Authorization: Basic base64(user:pass)` plus a curl example. Common for HTTP APIs, .htaccess, and reverse-proxy basic auth.

Input

Output

Runs entirely in your browser. No upload, no signup, no logging. Output is for personal or commercial use; we don't claim any rights.

How to use this tool

Enter your inputs. Each field is labeled with what it expects.
Read the result instantly. Numbers update as you type or change inputs.
Adjust to test sensitivity. Change one input at a time to see what moves the result most.
Cross-check the formula in the section below if you want to verify the math.
Copy or screenshot the result for later. The site does not save anything; close the tab and inputs are gone.

About this tool + how it works

This tool runs 100% in your browser - the libraries load from a public CDN and the math runs on your device. Nothing is uploaded to a server. The underlying logic is:

credentials = username + ':' + password
encoded = btoa(credentials)
header = 'Authorization: Basic ' + encoded

You can verify by opening the browser developer tools and watching the Network tab; you'll see no requests fired during normal use beyond the initial page and library load.

What HTTP Basic Authentication actually is

HTTP Basic Authentication is the simplest way to attach credentials to a web request, defined in RFC 7617. The client joins the username and password with a colon, Base64-encodes the result, and sends it in an Authorization: Basic header. The server decodes it, checks the credentials, and grants or denies access. It is widely used for internal APIs, scripts, and quick integrations because every HTTP client supports it out of the box.

Input	Joined	Base64 header
user / pass	user:pass	Authorization: Basic dXNlcjpwYXNz
admin / s3cret	admin:s3cret	Authorization: Basic YWRtaW46czNjcmV0
api / key123	api:key123	Authorization: Basic YXBpOmtleTEyMw==

Base64 is encoding, not encryption

The most important thing to understand about Basic Auth is that Base64 is reversible. Anyone who sees the header can decode it back to the plaintext username and password in one step. It provides zero confidentiality on its own.

Always use HTTPS. Over plain HTTP the credentials travel in effectively clear text and can be read by anyone on the network path.
Do not treat the header as a secret-keeping mechanism. Encoding hides nothing; it only packs the colon-joined string into header-safe ASCII.
Prefer tokens for public APIs. Bearer tokens and OAuth let you scope and revoke access without exposing a reusable password on every request.
Rotate leaked credentials immediately. Because the password is sent on every call, a single intercepted request exposes it until you change it.

Common Basic Auth mistakes and pitfalls

Sending Basic Auth over HTTP. Without TLS the Base64 header is trivially decoded in transit; only ever use it on HTTPS endpoints.
Forgetting the colon. The encoded string must be username, then a colon, then password; a missing or extra colon produces a header the server rejects.
Encoding the whole header instead of the credentials. Base64 applies only to "username:password", not to the word "Basic" or the header name.
A colon inside the username. The first colon separates the fields, so a username containing a colon breaks parsing; passwords may contain colons safely.
Hardcoding the header in shared code. Committing a Base64 header to a repository is the same as committing the plaintext password, since it decodes instantly.

Frequently asked questions

How is an HTTP Basic Auth header built?

Join the username and password with a colon, Base64-encode that string, and prefix it with "Basic ". So "user:pass" encodes to "dXNlcjpwYXNz" and the full header is "Authorization: Basic dXNlcjpwYXNz". The server reverses the process to read the credentials.

Is Basic Auth secure?

Only over HTTPS. Base64 is encoding, not encryption, so the header can be decoded back to the plaintext password by anyone who sees it. On a TLS connection the transport layer protects it, but on plain HTTP the credentials are effectively sent in the clear. Never use Basic Auth without HTTPS.

Can the Base64 header be decoded back to the password?

Yes, instantly. Base64 is a fully reversible transform, so decoding "dXNlcjpwYXNz" returns "user:pass" with no key required. That is why a Basic Auth header should be treated as if it were the plaintext password, and never committed to a repository or logged.

What happens if the username contains a colon?

It breaks. The server splits on the first colon to separate username from password, so a colon in the username makes everything after it part of the password. Usernames must not contain a colon; passwords, however, may contain colons safely because only the first one is treated as the delimiter.

When should I use a token instead of Basic Auth?

For anything public-facing or long-lived, prefer a bearer token or OAuth. Tokens can be scoped to specific permissions and revoked without changing the account password, whereas Basic Auth sends the reusable password on every request. Basic Auth is best reserved for internal services, scripts, and quick integrations behind HTTPS.