Using Base64 for API Authentication

← Back to Blog

Using Base64 for API Authentication

· 5 min read

HTTP Basic Authentication Explained

HTTP Basic Authentication is one of the oldest and simplest API authentication mechanisms, defined by RFC 7617. Its principle is very straightforward: the client Base64-encodes a "username:password" string, then includes it in the HTTP request header as Authorization: Basic [Base64-encoded value]. The server decodes and verifies the credentials.

# 生成 Basic Auth 头部
# Generate Basic Auth header
import base64

def make_basic_auth(username, password):
    credentials = f"{username}:{password}"
    encoded = base64.b64encode(credentials.encode('utf-8')).decode('ascii')
    return f"Basic {encoded}"

header = make_basic_auth("admin", "secret123")
print(header)
# Basic YWRtaW46c2VjcmV0MTIz

# 在 requests 库中使用
# Use with requests library
import requests
response = requests.get(
    'https://api.example.com/data',
    auth=('admin', 'secret123')  # requests 自动处理 Base64
)

Security Risks of Basic Auth

It must be emphasized again: Base64 is not encryption. Credentials in HTTP Basic Auth are merely Base64-encoded, and anyone who can intercept HTTP traffic can immediately decode them. Therefore, HTTP Basic Auth must always be used with HTTPS (TLS) and must never be used over plain HTTP connections.

Another risk is that credentials are sent with every request, increasing exposure opportunities. Modern API design generally prefers token-based authentication schemes (like OAuth 2.0, JWT), sending credentials only during initial authentication, then using expiring tokens for subsequent requests, reducing the risk of credential exposure.

Basic Auth Pattern Used by Stripe and Similar APIs

Some well-known APIs (like Stripe) use a variant of HTTP Basic Auth: using the API Key as the username, with the password left empty. The API Key is Base64-encoded and placed in the Authorization header as Basic [Base64("api_key:")] (note the colon with no password after it, but the colon is required).

# Stripe API 风格的认证
# Stripe API-style authentication
import base64
import requests

api_key = "sk_test_4eC39HqLyjWDarjtT1zdp7dc"
credentials = base64.b64encode(f"{api_key}:".encode()).decode()

response = requests.get(
    "https://api.stripe.com/v1/charges",
    headers={"Authorization": f"Basic {credentials}"}
)

Base64's Role in OAuth 2.0

In OAuth 2.0's Client Credentials Flow, the client needs to send client_id and client_secret to the authorization server. Per RFC 6749, the recommended approach is to Base64-encode "client_id:client_secret" and place it in the Authorization header — exactly the same format as HTTP Basic Auth.

Furthermore, OAuth's PKCE extension uses Base64URL to encode the code_challenge, while OAuth tokens themselves (Access Token, Refresh Token) in JWT format use Base64URL to encode their header and payload. Base64 is clearly pervasive throughout modern API authentication systems.

Testing Basic Auth APIs with curl

# curl 直接支持 Basic Auth，自动处理 Base64
# curl natively supports Basic Auth, handles Base64 automatically
curl -u username:password https://api.example.com/endpoint

# 等价的手动方式 / Equivalent manual approach
ENCODED=$(echo -n "username:password" | base64)
curl -H "Authorization: Basic $ENCODED" https://api.example.com/endpoint

# 测试 Stripe API / Test Stripe API
curl -u sk_test_YOUR_KEY: https://api.stripe.com/v1/customers

# POST 请求示例 / POST request example
curl -u admin:password \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"name":"test"}' \
  https://api.example.com/resource

Configuring Basic Auth in Postman

Postman has built-in Basic Auth support — no manual encoding needed. In the request's Authorization tab, select "Basic Auth" type and enter the username and password; Postman automatically generates the correct Authorization header. This is very convenient when testing APIs, and you can also see the generated Base64 encoded value in Postman's request header preview.

If you need to test an API using a non-standard format (like requiring Base64URL instead of standard Base64), you can first manually generate the encoded value in our online tool, then select "No Auth" in Postman and manually add the Authorization header.

Security Recommendations Summary

Security recommendations for using Basic Auth: (1) always use HTTPS, never HTTP; (2) consider using API Keys instead of username/password — API Keys can be revoked anytime without affecting account passwords; (3) create separate credentials for each client or integration for independent revocation; (4) set IP whitelisting or rate limiting to prevent abuse after credential exposure; (5) regularly rotate credentials.

In production environments, never hardcode Base64-encoded credentials in source code or version control systems. Use environment variables, secret management services (like AWS Secrets Manager, HashiCorp Vault), or the operating system's keychain to store sensitive credentials.

Try the online tool now — no installation, completely free.

Open Tool →