How to Use cURL with Basic Authentication (Username & Password)?

Answer

To use Basic Authentication in cURL, pass your credentials with the -u or --user flag, formatted as username:password. cURL automatically encodes these into an Authorization: Basic header, allowing access to protected APIs or endpoints securely when used over HTTPS.

Detailed Explanation

HTTP Basic Authentication is one of the simplest methods for verifying access to a protected resource. When a client attempts to access a secured endpoint, the server typically responds with a 401 Unauthorized status, prompting the client to provide credentials.

With Basic Auth, the client sends a username and password combined into a single string (username:password), which is then encoded using Base64 and placed inside the HTTP request header: Authorization: Basic <encoded>. The server decodes this value and validates it against stored credentials.

cURL simplifies this process by automatically handling encoding when you use the -u flag. For example:

curl -u username:password https://api.example.com

Despite its convenience, Basic Authentication is inherently insecure because Base64 encoding is reversible and does not encrypt data. Therefore, credentials can be exposed if transmitted over plain HTTP. Using HTTPS is essential to ensure transport-level encryption and prevent interception.

In scraping and automation scenarios, Basic Auth is often used for internal APIs, staging environments, or lightweight access control. However, it may still be combined with other security management systems such as CAPTCHA or behavioral detection, especially in production environments.

Solutions / Methods

• Use the -u or --user flag：Provide credentials directly in the command line (e.g., -u user:pass). For better security, omit the password to trigger an interactive prompt and avoid storing sensitive data in shell history.
• Ensure HTTPS for secure transmission：Always send authentication requests over HTTPS to prevent credential leakage, as Basic Auth only encodes data rather than encrypting it.
• Handle CAPTCHA and security management layers：When accessing protected endpoints that include CAPTCHA or bot detection, automated solutions like CapSolver can help handle challenges and maintain stable request workflows alongside authentication.

Best Practice / Tips

• Avoid hardcoding credentials in scripts; use environment variables or secure config files.
• Use --anyauth in cURL to let the tool negotiate the most appropriate authentication method automatically.
• Combine Basic Auth with proxies, headers, and user-agent rotation when performing web scraping at scale.
• Monitor for additional protection layers such as rate limiting or CAPTCHA, which may require integrated solving strategies.

👉 Related:

• Solve Captcha with Curl
• Web Scraping Without Getting Blocked

Use code FAQ when signing up at CapSolver to receive an additional 5% bonus on your recharge.

CapSolver FAQ — capsolver.com