Basic Auth

Basic Auth is the oldest form of HTTP authentication. It is simple, easy to understand, and still used in many internal tools, legacy systems, and admin panels. Understanding how it works under the hood is important — interviewers love asking about Base64 encoding.

How Basic Auth Works Under the Hood

Basic Auth Step by Step

Client has a username and password (e.g., admin:password123)

Client combines them with a colon: "admin:password123"

Client encodes this string in Base64: "YWRtaW46cGFzc3dvcmQxMjM="

Client sends it in the Authorization header: "Basic YWRtaW46cGFzc3dvcmQxMjM="

Server decodes the Base64 string, extracts username and password

Server validates credentials against its database

If valid — returns 200. If not — returns 401.

Base64 is NOT encryption. It is just encoding. Anyone can decode it. If you base64-decode "YWRtaW46cGFzc3dvcmQxMjM=" you get "admin:password123" — the plain text password. This is why Basic Auth MUST always be used over HTTPS. Without HTTPS, credentials travel in plain text.

Postman Example

In Postman, go to the Authorization tab, select "Basic Auth", and enter username and password. Postman handles the Base64 encoding for you. You will see the header "Authorization: Basic ..." appear automatically.

postman-basic-auth-tests.jsjavascript

// Postman: Authorization tab → Type: Basic Auth
// Username: admin
// Password: password123
// Postman auto-generates: Authorization: Basic YWRtaW46cGFzc3dvcmQxMjM=

pm.test("Valid credentials return 200", function () {
    pm.response.to.have.status(200);
});

pm.test("Response contains user data", function () {
    const json = pm.response.json();
    pm.expect(json.username).to.eql("admin");
    pm.expect(json.role).to.eql("admin");
});

// To test wrong credentials, change password to "wrongpass"
pm.test("Invalid credentials return 401", function () {
    pm.response.to.have.status(401);
});

// Manually create the header to understand Base64
// In Pre-request script:
const username = pm.environment.get("username");
const password = pm.environment.get("password");
const encoded = btoa(username + ":" + password);
pm.request.headers.add({
    key: "Authorization",
    value: "Basic " + encoded
});

REST Assured Example

BasicAuthTest.javajava

import io.restassured.RestAssured;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

import static io.restassured.RestAssured.*;
import static org.hamcrest.Matchers.*;

public class BasicAuthTest {

    @BeforeClass
    public void setup() {
        RestAssured.baseURI = "https://api.example.com";
    }

    // Method 1: REST Assured handles encoding
    @Test
    public void testBasicAuthWithHelper() {
        given()
            .auth().basic("admin", "password123")
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(200)
            .body("role", equalTo("admin"));
    }

    // Method 2: Preemptive Basic Auth
    // Sends credentials on FIRST request (no 401 challenge needed)
    @Test
    public void testPreemptiveBasicAuth() {
        given()
            .auth().preemptive().basic("admin", "password123")
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(200);
    }

    // Method 3: Manual Base64 encoding (to understand what happens)
    @Test
    public void testManualBasicAuth() {
        String credentials = "admin:password123";
        String encoded = java.util.Base64.getEncoder()
            .encodeToString(credentials.getBytes());

        given()
            .header("Authorization", "Basic " + encoded)
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(200);
    }

    @Test
    public void testInvalidCredentials() {
        given()
            .auth().preemptive().basic("admin", "wrongpassword")
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(401);
    }

    @Test
    public void testMissingCredentials() {
        given()
            // No auth at all
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(401);
    }
}

Use auth().preemptive().basic() in REST Assured. Without "preemptive", REST Assured waits for a 401 challenge from the server before sending credentials. Most modern APIs do not send challenges — they just reject the request. Preemptive sends credentials immediately.

Basic Auth

●Credentials sent with EVERY request
●Base64 encoded — NOT encrypted
●Simple to implement
●No expiry — works until password changes
●Used in internal tools, admin panels, legacy APIs

Token Auth (JWT)

✓Credentials sent ONCE to get a token
✓Token is signed — tamper-proof
✓More complex to implement
✓Token expires — must refresh
✓Used in modern web apps, mobile apps, public APIs

Q: How does Basic Auth work? Is it secure?

A: Basic Auth combines username and password with a colon (admin:pass), Base64-encodes it, and sends it in the Authorization header as "Basic <encoded>". It is NOT secure by itself because Base64 is encoding, not encryption — anyone can decode it. It must always be used over HTTPS. Also, credentials are sent with every request, increasing the attack surface. Modern APIs prefer token-based auth where credentials are sent once to get a token, and the token is used for subsequent requests.

Key Point: Basic Auth sends Base64-encoded username:password with every request. Base64 is encoding, NOT encryption. Always use over HTTPS. Use preemptive() in REST Assured.

Previous Up NextBearer Token / JWT

Chapter 7: Authentication and Authorization Testing

Basic Auth

Prev Next

How Basic Auth Works Under the Hood

Basic Auth Step by Step

Client has a username and password (e.g., admin:password123)

Client combines them with a colon: "admin:password123"

Client encodes this string in Base64: "YWRtaW46cGFzc3dvcmQxMjM="

Client sends it in the Authorization header: "Basic YWRtaW46cGFzc3dvcmQxMjM="

Server decodes the Base64 string, extracts username and password

Server validates credentials against its database

If valid — returns 200. If not — returns 401.

Postman Example

postman-basic-auth-tests.jsjavascript

// Postman: Authorization tab → Type: Basic Auth
// Username: admin
// Password: password123
// Postman auto-generates: Authorization: Basic YWRtaW46cGFzc3dvcmQxMjM=

pm.test("Valid credentials return 200", function () {
    pm.response.to.have.status(200);
});

pm.test("Response contains user data", function () {
    const json = pm.response.json();
    pm.expect(json.username).to.eql("admin");
    pm.expect(json.role).to.eql("admin");
});

// To test wrong credentials, change password to "wrongpass"
pm.test("Invalid credentials return 401", function () {
    pm.response.to.have.status(401);
});

// Manually create the header to understand Base64
// In Pre-request script:
const username = pm.environment.get("username");
const password = pm.environment.get("password");
const encoded = btoa(username + ":" + password);
pm.request.headers.add({
    key: "Authorization",
    value: "Basic " + encoded
});

REST Assured Example

BasicAuthTest.javajava

import io.restassured.RestAssured;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

import static io.restassured.RestAssured.*;
import static org.hamcrest.Matchers.*;

public class BasicAuthTest {

    @BeforeClass
    public void setup() {
        RestAssured.baseURI = "https://api.example.com";
    }

    // Method 1: REST Assured handles encoding
    @Test
    public void testBasicAuthWithHelper() {
        given()
            .auth().basic("admin", "password123")
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(200)
            .body("role", equalTo("admin"));
    }

    // Method 2: Preemptive Basic Auth
    // Sends credentials on FIRST request (no 401 challenge needed)
    @Test
    public void testPreemptiveBasicAuth() {
        given()
            .auth().preemptive().basic("admin", "password123")
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(200);
    }

    // Method 3: Manual Base64 encoding (to understand what happens)
    @Test
    public void testManualBasicAuth() {
        String credentials = "admin:password123";
        String encoded = java.util.Base64.getEncoder()
            .encodeToString(credentials.getBytes());

        given()
            .header("Authorization", "Basic " + encoded)
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(200);
    }

    @Test
    public void testInvalidCredentials() {
        given()
            .auth().preemptive().basic("admin", "wrongpassword")
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(401);
    }

    @Test
    public void testMissingCredentials() {
        given()
            // No auth at all
        .when()
            .get("/admin/dashboard")
        .then()
            .statusCode(401);
    }
}

Basic Auth

●Credentials sent with EVERY request
●Base64 encoded — NOT encrypted
●Simple to implement
●No expiry — works until password changes
●Used in internal tools, admin panels, legacy APIs

Token Auth (JWT)

✓Credentials sent ONCE to get a token
✓Token is signed — tamper-proof
✓More complex to implement
✓Token expires — must refresh
✓Used in modern web apps, mobile apps, public APIs

Q: How does Basic Auth work? Is it secure?

Key Point: Basic Auth sends Base64-encoded username:password with every request. Base64 is encoding, NOT encryption. Always use over HTTPS. Use preemptive() in REST Assured.

Previous Up NextBearer Token / JWT