Is Basic auth secure?

Only when the connection is HTTPS. The Base64 is reversible — anyone who captures the header can decode it. Treat the token like a plaintext password.

Why does the username warning fire on a colon?

The Basic auth grammar splits on the FIRST colon. If the username contains `:`, the server reads everything after the first `:` as the password and your real password is appended to the username on the wire.

HTTP Basic Auth Encoder / Decoder

Network

RFC 7617 Basic auth is just `base64(username:password)` glued onto an `Authorization: Basic` header. This tool does the encode and decode round-trip in the browser — no network call — and emits a ready-to-paste curl snippet. Warnings catch the common pitfalls: a colon in the username (Basic uses the first `:` as the divider so the credentials parse wrong), non-ASCII characters (RFC 7617 lets you pick a charset but most servers expect UTF-8), and empty credentials.

—

UsernamePasswordShow password

Base64 token

YWxpY2U6d29uZGVybGFuZA==

Authorization header

Authorization: Basic YWxpY2U6d29uZGVybGFuZA==

curl example

curl -H "Authorization: Basic YWxpY2U6d29uZGVybGFuZA==" https://api.example.com

Basic auth is base64(`user:pass`). It is reversible — only safe over HTTPS, and use a different mechanism (Bearer, mTLS) when you can.

How to use

Encode mode: type a username and password — the Base64 token, full `Authorization` header, and a curl command appear below.
Decode mode: paste any `Authorization: Basic …` line (or just the Base64 part) to see the username and password that's inside.
Copy whichever output you need — Basic creds belong only over HTTPS.

Frequently asked questions

Is Basic auth secure?: Only when the connection is HTTPS. The Base64 is reversible — anyone who captures the header can decode it. Treat the token like a plaintext password.
Why does the username warning fire on a colon?: The Basic auth grammar splits on the FIRST colon. If the username contains `:`, the server reads everything after the first `:` as the password and your real password is appended to the username on the wire.

Related tools

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00

HTTP Status Code Reference

Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.

Network00