Auth Header Generator

Generate HTTP Authorization headers for Basic Auth (Base64-encoded credentials), Bearer token (OAuth 2.0 / JWT), and custom API key authentication — encode, decode, and copy headers ready for Postman, curl, fetch, and any REST client.

Auth Header Generator: Enter your username/password or API token to generate the correct HTTP Authorization header. Supports Basic Auth (Base64-encoded credentials), Bearer tokens, and API key headers. Copy the header for use in API testing tools.

Loading Tool...

This tool requires JavaScript to run.

Please enable JavaScript in your browser to use this free online tool. All processing happens locally in your browser for maximum privacy and speed.

Key Takeaways

Generates HTTP Basic Auth headers with Base64-encoded credentials
Creates Bearer token Authorization headers for OAuth/JWT APIs
Supports API key headers in various formats (header, query, cookie)
Basic Auth format: Authorization: Basic base64(username:password)
Always use HTTPS when sending credentials — Basic Auth is not encrypted

What is Auth Header Generator?

Auth Header Generator — An Auth Generator is a free tool that creates HTTP Basic Authentication headers, Bearer token headers, and API key configurations for testing and development.

This free auth header generator lets you create, encode, and decode HTTP Authorization headers directly in your browser without command-line tools. Build Basic Auth headers by entering a username and password to produce a Base64-encoded credential string in the standard 'Authorization: Basic <base64>' format. Generate Bearer token headers for OAuth 2.0, JWT, and personal access token workflows. Configure custom API key headers with flexible header names like X-API-Key, Authorization, or any provider-specific key. Each output is copy-ready for Postman, curl, Insomnia, HTTPie, and frontend fetch/axios requests — ideal for developers, QA engineers, and DevOps teams testing REST APIs and microservice integrations.

How to Use Auth Header Generator

1
Select the Basic Auth Encode tab, enter your username and password, and instantly generate the Base64-encoded Authorization header string.
2
Switch to Basic Auth Decode to paste an existing Base64 header and recover the original username:password credentials for debugging API authentication failures.
3
Use the Bearer Token tab to wrap your OAuth 2.0, JWT, or personal access token in a properly formatted 'Authorization: Bearer <token>' header.
4
Configure the API Key tab with a custom header name (X-API-Key, api-key, etc.) and your key value for provider-specific authentication.
5
Copy any generated header with one click and paste it into Postman, curl, Insomnia, or your application code.

Key Features

Basic Auth header generation with automatic Base64 encoding of username:password credentials

Base64 decode for existing Basic Authorization headers to recover original credentials

Bearer token header formatting for OAuth 2.0, JWT, and personal access token authentication

Custom API key header generation with configurable header names and placement options

One-click copy output formatted for Postman, curl, Insomnia, HTTPie, and fetch/axios code

Client-side processing — credentials never leave your browser for maximum security

Use Cases

Preparing HTTP Authorization headers for REST API testing and integration QA in Postman or curl

Debugging 401 Unauthorized errors by decoding Base64 Basic Auth credentials to verify username and password

Creating standardized authentication header templates for team API documentation and onboarding guides

Rapidly switching between Basic Auth, Bearer token, and API key authentication methods during multi-service testing

Generating OAuth 2.0 Bearer headers for JWT-based microservice communication testing

About Auth Header Generator

HTTP Authentication Schemes Compared

Scheme	Header format	RFC	Security
Basic Auth	`Authorization: Basic [base64(user:pass)]`	RFC 7617	Low (Base64 ≠ encryption; needs HTTPS)
Bearer (OAuth 2.0)	`Authorization: Bearer [token]`	RFC 6750	Medium-High (token expires, scoped)
Digest Auth	`Authorization: Digest [...]`	RFC 7616	Medium (mostly obsolete)
API Key	`X-API-Key: [key]` (varies)	No standard	Medium (long-lived, often single-use)
AWS Signature v4	`Authorization: AWS4-HMAC-SHA256 [...]`	AWS spec	High (request-signed, time-limited)
HMAC custom	`Authorization: HMAC-SHA256 [...]`	Custom	High (replay-protected if done right)

Basic Auth Anatomy

Basic Authentication (RFC 7617) is simple but critical to get right:

Combine username and password with a colon: alice:s3cret123
Base64-encode the result: YWxpY2U6czNjcmV0MTIz
Prepend with "Basic ": Basic YWxpY2U6czNjcmV0MTIz
Send as the Authorization header value

Critical: Base64 is encoding, NOT encryption. Anyone intercepting the request can decode and read the credentials. Basic Auth must always be used over HTTPS. Even then, prefer Bearer tokens or API keys for production use — Basic Auth has no expiration / rotation built in.

Bearer Tokens: OAuth 2.0 Standard

Bearer tokens (RFC 6750) are the modern standard for API authentication. The token is opaque to the client — typically a JWT (JSON Web Token, RFC 7519) or a reference/opaque token that the server looks up. The format is simple: Authorization: Bearer eyJhbGc.... Bearer tokens have key advantages over Basic Auth:

Expiration: tokens have exp claims; expired tokens are rejected
Scoped: tokens grant specific permissions (read-only, admin, etc.)
Revocable: tokens can be invalidated server-side without changing user credentials
Stateless verification: JWTs are self-contained — no DB lookup needed
Refreshable: short-lived access tokens + long-lived refresh tokens

See our JWT Decoder to inspect token claims.

API Key Patterns Across Services

Service	Header / format	Key format
Stripe	`Authorization: Bearer sk_live_...`	`sk_live_` or `sk_test_` prefix
OpenAI	`Authorization: Bearer sk-...`	`sk-` prefix, 51 chars
SendGrid	`Authorization: Bearer SG.[key]`	`SG.` prefix
Twilio	`Authorization: Basic [base64(SID:auth_token)]`	Account SID + Auth Token (Basic)
GitHub	`Authorization: token ghp_...` or `Bearer`	`ghp_` personal, `gho_` OAuth
AWS	`Authorization: AWS4-HMAC-SHA256 [signature]`	Access key ID + signed request
Google Cloud	`Authorization: Bearer [OAuth2 token]`	OAuth2 access token
Mailchimp	`Authorization: Basic [base64(anystring:apikey)]`	API key as password

Common Debugging Scenarios

401 Unauthorized: bad credentials, expired token, or missing Authorization header. Verify header format and credentials.
403 Forbidden: credentials valid but lack permission. Different from 401 — check user roles / token scopes.
Token works in Postman but not in code: Postman uses different default URL encoding; check that special chars in tokens aren't double-encoded.
Basic Auth works locally, fails in production: often an HTTPS issue — some platforms enforce HTTPS for Basic Auth headers.
Bearer token rejected: verify the issuer (iss), audience (aud), and expiration (exp) in the JWT. Server clock skew >30s causes "not yet valid" failures.
API key with special chars failing: check URL encoding — characters like +, =, / in keys need encoding when in URLs.
CORS blocking auth: server must allow Authorization in Access-Control-Allow-Headers, and Authorization isn't a "simple" header — triggers preflight.

Command-Line Equivalent

For Basic Auth, a common CLI approach is `echo -n 'user:pass' | base64`. This tool produces the same output with a visual workflow and built-in decode support.

Common Debugging Issue

If auth fails, check for extra spaces, missing prefixes (`Basic` or `Bearer`), incorrect header names, and token expiration before retrying requests.

Frequently Asked Questions

What is HTTP Basic Authentication and how does Base64 encoding work?: HTTP Basic Authentication is defined in RFC 7617. It combines username and password as 'username:password', Base64-encodes the string, and sends it as 'Authorization: Basic <encoded-value>'. Base64 is an encoding scheme (not encryption), so Basic Auth must always be used over HTTPS to protect credentials in transit.
How do I decode an existing Basic Auth header to see the username and password?: Paste the full 'Authorization: Basic ...' header or just the Base64 string into the decode tab. The tool instantly reverses the Base64 encoding to reveal the original username:password pair — useful for debugging 401 errors and verifying credential mismatches in API integrations.
What is a Bearer token and when should I use Bearer authentication?: Bearer tokens are opaque access tokens (often JWTs from OAuth 2.0 flows) sent as 'Authorization: Bearer <token>'. Use Bearer auth for modern REST APIs, single-page applications, mobile apps, and microservice-to-microservice communication where tokens have scoped permissions and expiration times.
What is the difference between Basic Auth, Bearer tokens, and API key authentication?: Basic Auth sends Base64-encoded username:password credentials per request. Bearer tokens use short-lived access tokens from OAuth/JWT flows. API keys are static secrets sent via custom headers (X-API-Key) or query parameters. Bearer tokens offer the best security for production APIs; Basic Auth is common for internal tools; API keys are simplest for third-party service integrations.
Can I use generated auth headers in Postman, curl, and Insomnia?: Yes. Copy the generated header and paste it as a raw header in Postman's Headers tab, as a '-H' flag in curl commands, or in Insomnia's header configuration. The output is formatted exactly as HTTP clients expect.
Is this auth header generator free and are my credentials secure?: Yes, completely free with no signup required. All encoding and decoding runs client-side in your browser using JavaScript — your passwords, tokens, and API keys are never sent to any server. For maximum security, still avoid using production credentials during testing.
How do I fix a 401 Unauthorized error when using Authorization headers?: Common causes include missing the 'Basic' or 'Bearer' prefix, extra whitespace in the header value, expired tokens, incorrect Base64 encoding, or using the wrong header name. Use the decode tab to verify your credentials, check token expiration with a JWT decoder, and confirm the API expects the authentication scheme you are sending.

Loading your tools...

Use Cases

Preparing HTTP Authorization headers for REST API testing and integration QA in Postman or curl

Debugging 401 Unauthorized errors by decoding Base64 Basic Auth credentials to verify username and password

Creating standardized authentication header templates for team API documentation and onboarding guides

Rapidly switching between Basic Auth, Bearer token, and API key authentication methods during multi-service testing

Generating OAuth 2.0 Bearer headers for JWT-based microservice communication testing

Scheme

Header format

RFC

Security

Basic Auth

Authorization: Basic [base64(user:pass)]

RFC 7617

Low (Base64 ≠ encryption; needs HTTPS)

Bearer (OAuth 2.0)

Authorization: Bearer [token]

RFC 6750

Medium-High (token expires, scoped)

Digest Auth

Authorization: Digest [...]

RFC 7616

Medium (mostly obsolete)

API Key

X-API-Key: [key] (varies)

No standard

Medium (long-lived, often single-use)

AWS Signature v4

Authorization: AWS4-HMAC-SHA256 [...]

AWS spec

High (request-signed, time-limited)

HMAC custom

Authorization: HMAC-SHA256 [...]

Custom

High (replay-protected if done right)

Service

Header / format

Key format

Stripe

Authorization: Bearer sk_live_...

sk_live_ or sk_test_ prefix

OpenAI

Authorization: Bearer sk-...

sk- prefix, 51 chars

SendGrid

Authorization: Bearer SG.[key]

SG. prefix

Twilio

Authorization: Basic [base64(SID:auth_token)]

Account SID + Auth Token (Basic)

GitHub

Authorization: token ghp_... or Bearer

ghp_ personal, gho_ OAuth

AWS

Authorization: AWS4-HMAC-SHA256 [signature]

Access key ID + signed request

Google Cloud

Authorization: Bearer [OAuth2 token]

OAuth2 access token

Mailchimp

Authorization: Basic [base64(anystring:apikey)]

API key as password

Frequently Asked Questions

What is HTTP Basic Authentication and how does Base64 encoding work?

HTTP Basic Authentication is defined in RFC 7617. It combines username and password as 'username:password', Base64-encodes the string, and sends it as 'Authorization: Basic <encoded-value>'. Base64 is an encoding scheme (not encryption), so Basic Auth must always be used over HTTPS to protect credentials in transit.

How do I decode an existing Basic Auth header to see the username and password?

Paste the full 'Authorization: Basic ...' header or just the Base64 string into the decode tab. The tool instantly reverses the Base64 encoding to reveal the original username:password pair — useful for debugging 401 errors and verifying credential mismatches in API integrations.

What is a Bearer token and when should I use Bearer authentication?

Bearer tokens are opaque access tokens (often JWTs from OAuth 2.0 flows) sent as 'Authorization: Bearer <token>'. Use Bearer auth for modern REST APIs, single-page applications, mobile apps, and microservice-to-microservice communication where tokens have scoped permissions and expiration times.

What is the difference between Basic Auth, Bearer tokens, and API key authentication?

Basic Auth sends Base64-encoded username:password credentials per request. Bearer tokens use short-lived access tokens from OAuth/JWT flows. API keys are static secrets sent via custom headers (X-API-Key) or query parameters. Bearer tokens offer the best security for production APIs; Basic Auth is common for internal tools; API keys are simplest for third-party service integrations.

Can I use generated auth headers in Postman, curl, and Insomnia?

Yes. Copy the generated header and paste it as a raw header in Postman's Headers tab, as a '-H' flag in curl commands, or in Insomnia's header configuration. The output is formatted exactly as HTTP clients expect.

Is this auth header generator free and are my credentials secure?

Yes, completely free with no signup required. All encoding and decoding runs client-side in your browser using JavaScript — your passwords, tokens, and API keys are never sent to any server. For maximum security, still avoid using production credentials during testing.

How do I fix a 401 Unauthorized error when using Authorization headers?

Common causes include missing the 'Basic' or 'Bearer' prefix, extra whitespace in the header value, expired tokens, incorrect Base64 encoding, or using the wrong header name. Use the decode tab to verify your credentials, check token expiration with a JWT decoder, and confirm the API expects the authentication scheme you are sending.

Tools

Finance

AI

Media

Marketing

More

Auth Header Generator

Key Takeaways

What is Auth Header Generator?

How to Use Auth Header Generator

Key Features

Use Cases

About Auth Header Generator

HTTP Authentication Schemes Compared

Basic Auth Anatomy

Bearer Tokens: OAuth 2.0 Standard

API Key Patterns Across Services

Common Debugging Scenarios

Command-Line Equivalent

Common Debugging Issue

Frequently Asked Questions

Auth Header Generator