← Back to Overview

AUTHENTICATION

Basic Auth

HTTP Basic Authentication sends a Base64-encoded username and password in the Authorization header with every request.

How It Works

Basic Auth is the simplest HTTP authentication scheme. The client sends credentials in the Authorization header with every request:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

The value after Basic is the Base64 encoding of username:password. The server decodes this string, extracts the credentials, and verifies them.

Important: Base64 is encoding, not encryption. Credentials are sent in every request and can be decoded by anyone who intercepts the traffic. Always use HTTPS to protect credentials in transit.

Configuration

Select Basic Auth from the Auth type dropdown. Two fields appear:

FieldDescription
UsernameThe username to authenticate with
PasswordThe password for the account (masked in the UI)

No other configuration is needed — API Studio handles the Base64 encoding and header injection automatically.

Variable Support

Both the username and password fields support {{variable}} placeholders. Variables are resolved from the active environment, vault secrets, or collection variables before encoding.

Example with variables:

Username: {{api_username}}
Password: {{api_password}}

Variables are resolved before the Base64 encoding step. This means the final encoded value contains the actual resolved credentials, not the placeholder text.

Encoding

The encoding process follows RFC 7617:

1

Resolve any {{variables}} in username and password

2

Concatenate as username:password

3

Base64-encode the resulting string

4

Add as header: Authorization: Basic <encoded>

Encoding example:

username = "admin"
password = "secret123"

"admin:secret123" → Base64 → "YWRtaW46c2VjcmV0MTIz"

Header: Authorization: Basic YWRtaW46c2VjcmV0MTIz

Examples

Literal values

Auth Type: Basic Auth
Username:  admin
Password:  p@ssw0rd!

→ Authorization: Basic YWRtaW46cEBzc3cwcmQh

With environment variables

Auth Type: Basic Auth
Username:  {{service_user}}
Password:  {{service_pass}}

Environment:
  service_user = "api-client"
  service_pass = "xK9#mP2$"

→ Resolves to "api-client:xK9#mP2$" → Base64 encodes
→ Authorization: Basic YXBpLWNsaWVudDp4SzkjbVAyJA==

With vault secrets

Auth Type: Basic Auth
Username:  {{db_user}}       ← from environment
Password:  {{db_password}}   ← from vault secret set

Both resolve before encoding — vault secrets are
automatically scrubbed from history and session files.
Note: Basic Auth credentials are sent with every request — there is no session or token mechanism. If your password changes, update the environment variable or vault secret and all requests using it will immediately use the new value.

Security Note

Auth credentials appear in multiple places:

  • Actual Request tab — shows resolved auth headers with real values
  • Code Export — generated code includes resolved auth values
  • History — saved request headers contain injected auth (scrubbed only if from vault)
  • collections.json — auth config saved in plain text (committed to git)

Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.

Next

Ko-fi