Zero Signup ToolsFree browser tools

Developer Tools

Authorization Header Generator

Build a valid HTTP Authorization header for Basic, Bearer, or custom token schemes. Live preview plus curl, fetch, axios, Python, Go, and PHP snippets.

Authorization header generator

Username and password, base64-encoded (RFC 7617).

Quick presets

Header output

Authorization header value

Authorization: Basic YWRtaW46czNjcmV0LXBhc3Mh
45 bytesBasic credentials are the username and password joined by a colon, encoded as UTF-8, then base64-encoded.

Request snippet settings

These values are threaded into every snippet below.

Request snippets

Paste into your client

Ready-to-paste examples for the HTTP clients developers use most. The Authorization header is wired in for you.

curl

curl -i -H 'Authorization: Basic YWRtaW46czNjcmV0LXBhc3Mh' 'https://api.example.com/v1/me'

JavaScript fetch

fetch("https://api.example.com/v1/me", {
  method: "GET",
  headers: {
    "Authorization": "Basic YWRtaW46czNjcmV0LXBhc3Mh",
  },
})
  .then((response) => response.text())
  .then(console.log);

axios

import axios from "axios";

axios({
  url: "https://api.example.com/v1/me",
  method: "get",
  headers: {
    Authorization: "Basic YWRtaW46czNjcmV0LXBhc3Mh",
  },
}).then((response) => {
  console.log(response.data);
});

Python (requests)

import requests

response = requests.request(
    "get",
    "https://api.example.com/v1/me",
    headers={
        "Authorization": "Basic YWRtaW46czNjcmV0LXBhc3Mh",
    },
)
print(response.status_code, response.text)

Node.js (node:https)

import { request } from "node:https";

const url = new URL("https://api.example.com/v1/me");

const req = request(
  {
    method: "GET",
    hostname: url.hostname,
    port: url.port || (url.protocol === "https:" ? 443 : 80),
    path: url.pathname + url.search,
    headers: {
      Authorization: "Basic YWRtaW46czNjcmV0LXBhc3Mh",
    },
  },
  (res) => {
    let body = "";
    res.setEncoding("utf8");
    res.on("data", (chunk) => (body += chunk));
    res.on("end", () => console.log(res.statusCode, body));
  },
);

req.end();

Go (net/http)

package main

import (
	"fmt"
	"io"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.example.com/v1/me", nil)
	req.Header.Set("Authorization", "Basic YWRtaW46czNjcmV0LXBhc3Mh")

	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	body, _ := io.ReadAll(resp.Body)
	fmt.Println(resp.Status, string(body))
}

PHP (curl)

<?php
$ch = curl_init('https://api.example.com/v1/me');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Authorization: Basic YWRtaW46czNjcmV0LXBhc3Mh',
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo $status . PHP_EOL . $response;

Raw HTTP request

GET /v1/me HTTP/1.1
Host: api.example.com
Authorization: Basic YWRtaW46czNjcmV0LXBhc3Mh
Accept: */*

Scheme cheat sheet

  • Basic (RFC 7617): built from username:password encoded as UTF-8 then base64. Avoid colons in the username.
  • Bearer (RFC 6750): the token is sent verbatim after the scheme name. Used by OAuth 2.0, OpenID Connect, JWT, and most modern API platforms.
  • Token, ApiKey, and other vendor schemes follow the same shape as Bearer but with a different scheme name.
  • Digest (RFC 7616) and AWS4-HMAC-SHA256 require a signed challenge or request body and are not built statically; use a client library for those.

Common mistakes

  • Pasting the JWT into a Basic-auth form instead of using the Bearer scheme. Servers reject the result with a 401.
  • Including the word Authorization: twice when copying the header value into the value field of a tool like Postman.
  • Sending the header over plain HTTP. Basic credentials are effectively cleartext on the wire; always use HTTPS in production.
  • Storing the Bearer token in source control or a chat log. Treat it like a password and rotate immediately if leaked.
  • Mixing the OAuth 2.0 access token with the refresh token. The header always carries the access token; the refresh token is sent to the token endpoint instead.

How to use

  1. Pick the scheme tab that matches your auth flow: Basic for username and password, Bearer for OAuth or personal access tokens, or Custom for vendor schemes like Token or ApiKey.
  2. Fill in the credential inputs. For Basic, type the username and password; the colon-joined pair is UTF-8 encoded and base64 wrapped automatically. For Bearer, paste the opaque token or JWT. For Custom, type the scheme name and the credential value.
  3. Use a quick preset to seed common shapes, or click Show next to the password to reveal it before copying.
  4. Read the Authorization header line in the output panel and copy either the value alone or the full header line. Watch the byte counter if your gateway has header size limits.
  5. Set the Request URL and HTTP method to thread them into the snippets. Copy the snippet for the client you actually use: curl, fetch, axios, Python requests, Node.js, Go, PHP, or a raw HTTP request.
  6. Resolve any errors flagged in the Validation panel (colon in Basic username, whitespace in a Bearer token, empty scheme name) before sending the request.

About this tool

Authorization Header Generator builds the value of the HTTP Authorization request header defined by RFC 7235. It covers the three schemes that account for almost every Authorization header in the wild: Basic (RFC 7617), where the username and password are joined with a colon, UTF-8 encoded, and base64 wrapped; Bearer (RFC 6750), where an opaque token or JWT is sent verbatim after the scheme name; and Custom, where a vendor scheme like Token, ApiKey, or any other RFC 7235 token68 value carries the credential. The tool validates each input against the real grammar: it rejects colons inside Basic usernames (RFC 7617 reserves the colon as the credential separator), warns on Bearer tokens that contain characters outside the RFC 6750 token68 grammar, refuses whitespace or newlines that would break the header line, and flags non-ASCII credentials with a note that Basic uses UTF-8 by modern convention. Five quick presets seed real intents: a login Basic credential, a Bearer JWT, a Bearer personal access token in GitHub/GitLab/npm style, a Token scheme value, and an ApiKey scheme value. The output panel shows the full Authorization line with a copy button, a byte counter for the wire size, and a plain English explanation of how the value was derived. Eight ready-to-paste snippets thread your URL and HTTP method through every popular client: curl, JavaScript fetch, axios, Python requests, Node.js node:https, Go net/http, PHP curl, and a raw HTTP request preview. Every snippet quotes credentials safely so a password with single quotes, backslashes, or shell metacharacters does not break the command. The header value never leaves your browser; base64 is computed locally with TextEncoder and btoa. Useful for testing a new API endpoint with a fresh token, copying a working Authorization line into Postman or Insomnia, debugging a 401 by comparing the value your client sent against the one this tool produces, encoding a Basic credential pair without piping echo through base64 in a terminal, or generating a clean snippet to share with a teammate in chat.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

JWT Decoder

Decode header, payload, and claims of a JWT with expiry checks.

Open tool

Developer

JWT Generator

Sign HS256, HS384, and HS512 JWTs with editable claims and expiry helpers.

Open tool

Developer

HTTP Headers Parser

Parse, classify, and decode HTTP headers, with a missing security headers audit.

Open tool

Developer

cURL to Fetch Converter

Convert curl into fetch, Node fetch, axios, or XHR JavaScript.

Open tool

Developer

Base64 Encoder Decoder

Encode and decode Base64 with full Unicode.

Open tool

All toolsDeveloper Tools