AUTHENTICATION
Basic Auth
HTTP Basic Authentication sends a Base64-encoded username and password in the Authorization header with every request.
How It Works
Basic Auth is the simplest HTTP authentication scheme. The client sends credentials in the Authorization header with every request:
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
The value after Basic is the Base64 encoding of username:password. The server decodes this string, extracts the credentials, and verifies them.
Configuration
Select Basic Auth from the Auth type dropdown. Two fields appear:
| Field | Description |
|---|---|
| Username | The username to authenticate with |
| Password | The password for the account (masked in the UI) |
No other configuration is needed — API Studio handles the Base64 encoding and header injection automatically.
Variable Support
Both the username and password fields support {{variable}} placeholders. Variables are resolved from the active environment, vault secrets, or collection variables before encoding.
Example with variables:
Username: {{api_username}}
Password: {{api_password}}
Variables are resolved before the Base64 encoding step. This means the final encoded value contains the actual resolved credentials, not the placeholder text.
Encoding
The encoding process follows RFC 7617:
Resolve any {{variables}} in username and password
Concatenate as username:password
Base64-encode the resulting string
Add as header: Authorization: Basic <encoded>
Encoding example:
username = "admin"
password = "secret123"
"admin:secret123" → Base64 → "YWRtaW46c2VjcmV0MTIz"
Header: Authorization: Basic YWRtaW46c2VjcmV0MTIz
Examples
Literal values
Auth Type: Basic Auth
Username: admin
Password: p@ssw0rd!
→ Authorization: Basic YWRtaW46cEBzc3cwcmQh
With environment variables
Auth Type: Basic Auth
Username: {{service_user}}
Password: {{service_pass}}
Environment:
service_user = "api-client"
service_pass = "xK9#mP2$"
→ Resolves to "api-client:xK9#mP2$" → Base64 encodes
→ Authorization: Basic YXBpLWNsaWVudDp4SzkjbVAyJA==
With vault secrets
Auth Type: Basic Auth
Username: {{db_user}} ← from environment
Password: {{db_password}} ← from vault secret set
Both resolve before encoding — vault secrets are
automatically scrubbed from history and session files.
Security Note
Auth credentials appear in multiple places:
- Actual Request tab — shows resolved auth headers with real values
- Code Export — generated code includes resolved auth values
- History — saved request headers contain injected auth (scrubbed only if from vault)
- collections.json — auth config saved in plain text (committed to git)
Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.