HTTP Basic Auth Generator: Basic Auth, Bearer JWT, API Key

What this tool actually does?

Thie is a free online HTTP auth header generator for developers. It builds Basic Auth, Bearer tokens with a built in JWT decoder, and API key headers. You get copy paste ready snippets for cURL, Fetch, Axios, Python, PHP, Java, Angular, and Go. Everything runs locally in your browser. No server calls.

Features

Formats the Authorization header for HTTP requests
Encodes username and password to Base64 for Basic Auth per RFC 7617
Formats Bearer tokens strictly following RFC 6750 with support for custom auth schemes
Decodes JWT headers and payloads locally, showing algorithm, expiration and claims
Generates API keys as custom headers or URL query parameters with proper URL encoding
Spits out working code snippets in eight languages: cURL, Fetch API, Axios, Python, PHP, Java, Angular, Go
Supports all major HTTP methods: GET, POST, PUT, PATCH, DELETE

Who is this for?

Backend devs building authenticated API requests without memorizing header syntax
Frontend engineers debugging Authorization headers during third party API integration
QA engineers generating accurate headers for Postman, automated tests, and CI pipelines
DevOps and SRE folks troubleshooting failing API calls and inspecting JWT payloads on prod
Security researchers analyzing auth flows and decoding tokens without sending them to sketchy third party sites
Tech writers producing correct code samples for API documentation
Students learning HTTP authentication schemes hands on

Pain points it fixes

Stops manual Base64 encoding errors, especially with non ASCII UTF 8 characters
Removes syntax guessing. No more wondering if it is Bearer or Basic, or where the colon goes
Instant JWT validation. You see expiration time, algorithm and claims without external services
Saves context switching time. Header and snippet in one place
Prevents credential leaks. Unlike online converters, your secrets never leave your device
Works in restricted environments. No installation, no account, no dependencies, works offline

Why use this generator?

100% Client Side

Creds and tokens never leave your machine. Encoding and decoding happen right in the browser.

Zero Dependencies

Pure HTML, CSS, and vanilla JS. No frameworks, no CDN calls, no build step.

Instant Results

Headers and snippets update as you type. No submit buttons.

Works Offline

Save the HTML file locally and use it without an internet connection. Perfect for air gapped environments.

Mobile Friendly

Touch optimized interface with large tap targets. 16px inputs prevent iOS auto zoom.

RFC Compliant

Output strictly follows standards for Basic and Bearer authentication.

Supported auth methods

Basic Auth: Base64 encoding of username:password sent as Authorization: Basic <credentials>
Bearer Token: Typically used with OAuth 2.0 and JWT access tokens. Supports custom schemes like Token or MAC
API Key: Flexible transmission either as a custom HTTP header like X-API-Key or as a URL query parameter with proper encoding

Frequently asked questions

Is my data safe here?

Yes. All processing happens locally in your browser using JavaScript. No credentials, tokens, or API keys are ever sent to any server, logged, or stored. Disconnect your internet and test it yourself.

What is Basic Auth and how is it encoded?

Basic Authentication defined in RFC 7617 is an HTTP scheme where credentials are sent as a Base64 encoded string in the format username:password. The resulting header looks like Authorization: Basic dXNlcjpwYXNz. Base64 is encoding, not encryption. Always use HTTPS with Basic Auth. Check MDN for more details.

How does the JWT decoder work?

A JWT per RFC 7519 consists of three Base64URL encoded parts separated by dots: header.payload.signature. This tool decodes both the header (algorithm, type, key ID) and the payload (claims like exp, iat, sub) locally in your browser. The signature is not verified. This is a decoder, not a validator. See jwt.io for a good intro.

Bearer token vs API key?

A Bearer token per RFC 6750 is typically a short lived signed token like JWT used in OAuth 2.0 flows. It goes in the Authorization header as Bearer <token>. An API key is a long lived secret string, usually sent as a custom header or a URL query parameter. API keys identify the client. Bearer tokens authorize a specific session.

Can I use this offline?

Yes. Once the page loads, it works completely offline because all logic is written in vanilla JavaScript with no external dependencies or CDN calls. Save the HTML file locally and use it without internet.

Which HTTP methods are supported?

The generator supports GET, POST, PUT, PATCH, and DELETE. Code snippets automatically adapt to the selected method, including correct cURL flags, Fetch and Axios method parameters, and Python or PHP request types.

Does this tool verify JWT signatures?

No. It only decodes the JWT header and payload. It does not verify the cryptographic signature. Signature verification requires a secret or public key and must happen on your backend server. Never trust a JWT based solely on client side decoding.

Does Basic Auth expire?

No. Basic Auth credentials (username and password) do not have an expiration time. They remain valid until changed on the server. Unlike JWT tokens which have an exp claim, Basic Auth is stateless and persistent. If you need time limited access, use Bearer tokens with JWT instead.

Why is my auth header being dropped?

Auth headers are commonly dropped by CORS policies, reverse proxies (nginx, Apache), load balancers, or redirects (HTTP to HTTPS). Check your server configuration and ensure Authorization headers are whitelisted in CORS (Access-Control-Allow-Headers) and proxy settings. Some frameworks also strip custom headers by default.

Why put auth token in HTTP header instead of URL?

HTTP headers are more secure than URL parameters because headers are not logged in browser history, server access logs, or proxy logs. URLs with tokens can be accidentally shared, bookmarked, or cached. Headers follow HTTP standards and are the recommended approach for authentication.