Bird
Raised Fist0
Rest APIprogramming~10 mins

Basic authentication in Rest API - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Basic authentication
Client sends request with Authorization header
Server receives request
Server extracts Authorization header
Server decodes Base64 credentials
Server checks username and password
Grant access
Send response
The client sends credentials encoded in the Authorization header; the server decodes and verifies them, then grants or denies access.
Execution Sample
Rest API
GET /resource HTTP/1.1
Authorization: Basic dXNlcjpwYXNz

# Server decodes 'dXNlcjpwYXNz' to 'user:pass'
# Server checks credentials
# Server responds 200 OK if valid, 401 if invalid
This shows a client request with Basic Auth header and server verifying credentials.
Execution Table
StepActionDataResult
1Client sends requestAuthorization: Basic dXNlcjpwYXNzRequest sent with encoded credentials
2Server receives requestAuthorization header presentProceed to decode credentials
3Server decodes Base64dXNlcjpwYXNzDecoded to 'user:pass'
4Server splits credentials'user:pass'Username='user', Password='pass'
5Server checks credentialsUsername='user', Password='pass'Credentials valid? Yes
6Server grants accessValid credentialsRespond with 200 OK and resource
7EndRequest handledProcess complete
💡 Execution stops after server responds based on credential validity
Variable Tracker
VariableStartAfter Step 3After Step 4After Step 5Final
Authorization headerNonedXNlcjpwYXNzdXNlcjpwYXNzdXNlcjpwYXNzdXNlcjpwYXNz
Decoded credentialsNoneuser:passuser:passuser:passuser:pass
UsernameNoneNoneuseruseruser
PasswordNoneNonepasspasspass
Access grantedFalseFalseFalseTrueTrue
Key Moments - 3 Insights
Why does the server decode the Authorization header?
Because the credentials are sent encoded in Base64, decoding reveals the actual username and password as shown in step 3 of the execution_table.
What happens if the credentials are invalid?
The server rejects the request and sends a 401 Unauthorized response instead of granting access, which would be shown in step 5 as 'Credentials valid? No' (not shown here).
Why is the Authorization header needed in the request?
It carries the encoded username and password so the server can authenticate the client, as seen in step 1 where the client sends it.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the decoded credentials value at step 3?
A"user:pass"
B"dXNlcjpwYXNz"
C"Authorization: Basic dXNlcjpwYXNz"
D"user"
💡 Hint
Check the 'Data' column at step 3 in the execution_table.
At which step does the server decide if access is granted?
AStep 2
BStep 4
CStep 5
DStep 6
💡 Hint
Look for the step where credentials are checked in the execution_table.
If the password was wrong, how would the 'Access granted' variable change after step 5?
AIt would be True
BIt would be False
CIt would be None
DIt would be 'user:pass'
💡 Hint
Refer to the variable_tracker row for 'Access granted' and step 5.
Concept Snapshot
Basic authentication sends username and password encoded in Base64 in the Authorization header.
Server decodes and checks credentials.
If valid, server grants access; if not, sends 401 Unauthorized.
Used for simple client-server authentication.
Credentials are sent with every request.
Not secure without HTTPS.
Full Transcript
Basic authentication works by the client sending a request with an Authorization header containing the username and password encoded in Base64. The server receives this request, extracts the Authorization header, and decodes the Base64 string to get the username and password. It then checks these credentials against its records. If the credentials are valid, the server grants access and responds with the requested resource. If invalid, the server rejects the request with a 401 Unauthorized response. This process repeats for each request requiring authentication. The key steps are sending the encoded credentials, decoding them, verifying, and responding accordingly.

Practice

(1/5)
1. What does Basic Authentication in REST API primarily use to verify a user?
easy
A. An API key sent as a query parameter
B. A username and password encoded in base64 sent in the Authorization header
C. OAuth tokens in the request body
D. IP address filtering

Solution

  1. Step 1: Understand Basic Authentication mechanism

    Basic Authentication sends a username and password encoded in base64 in the Authorization header.

  2. Step 2: Compare with other authentication methods

    API keys, OAuth tokens, and IP filtering are different methods, not Basic Authentication.

  3. Final Answer:

    A username and password encoded in base64 sent in the Authorization header -> Option B

  4. Quick Check:

    Basic Auth = username:password base64 in header [OK]
Hint: Basic Auth always uses base64 username:password in header [OK]
Common Mistakes:
  • Confusing Basic Auth with API key or OAuth
  • Thinking credentials are sent in URL or body
  • Ignoring base64 encoding step
2. Which of the following is the correct format of the Authorization header for Basic Authentication?
easy
A. Authorization: ApiKey base64encodedstring
B. Authorization: Bearer base64encodedstring
C. Authorization: Token base64encodedstring
D. Authorization: Basic base64encodedstring

Solution

  1. Step 1: Recall the header format for Basic Authentication

    The header must start with the word 'Basic' followed by a space and then the base64 encoded credentials.

  2. Step 2: Eliminate other header types

    'Bearer', 'Token', and 'ApiKey' are used in other authentication schemes, not Basic Auth.

  3. Final Answer:

    Authorization: Basic base64encodedstring -> Option D

  4. Quick Check:

    Basic Auth header starts with 'Basic' [OK]
Hint: Basic Auth header always starts with 'Basic ' [OK]
Common Mistakes:
  • Using 'Bearer' instead of 'Basic'
  • Omitting the space after 'Basic'
  • Confusing with other auth schemes
3. Given the username 'user' and password 'pass', what is the value of the Authorization header in Basic Authentication?
medium
A. Authorization: Basic dXNlcjpwYXNz
B. Authorization: Basic dXNlcjpwYXNzCg==
C. Authorization: Basic dXNlcjpwYXNzdA==
D. Authorization: Basic dXNlcjpwYXNzZA==

Solution

  1. Step 1: Combine username and password with colon

    Combine 'user' and 'pass' as 'user:pass'.

  2. Step 2: Encode 'user:pass' in base64

    Encoding 'user:pass' in base64 results in 'dXNlcjpwYXNzdA=='.

  3. Final Answer:

    Authorization: Basic dXNlcjpwYXNzdA== -> Option C

  4. Quick Check:

    Base64('user:pass') = dXNlcjpwYXNzdA== [OK]
Hint: Encode 'username:password' in base64 for header value [OK]
Common Mistakes:
  • Encoding username and password separately
  • Adding extra characters or padding incorrectly
  • Using wrong base64 string
4. What is wrong with this Basic Authentication header?
Authorization: Basic user:pass
medium
A. The username and password are not base64 encoded
B. The header should be 'Bearer' not 'Basic'
C. The colon ':' should be replaced with a comma ','
D. The header is missing the word 'Authorization'

Solution

  1. Step 1: Check the format of the Authorization header

    The header must have the credentials base64 encoded after 'Basic '.

  2. Step 2: Identify the error in the given header

    The given header has 'user:pass' in plain text, not base64 encoded.

  3. Final Answer:

    The username and password are not base64 encoded -> Option A

  4. Quick Check:

    Basic Auth requires base64 encoding [OK]
Hint: Credentials must be base64 encoded, not plain text [OK]
Common Mistakes:
  • Sending plain text credentials
  • Confusing 'Basic' with 'Bearer'
  • Misplacing colon or other punctuation
5. You want to protect a REST API endpoint using Basic Authentication. Which of the following is the best practice?
hard
A. Use HTTPS to encrypt the connection and send base64 encoded credentials in the Authorization header
B. Send username and password in plain text over HTTP
C. Send credentials as URL parameters for easy access
D. Use Basic Authentication without encoding credentials

Solution

  1. Step 1: Understand security risks of Basic Authentication

    Basic Auth sends credentials encoded but not encrypted, so it must be used over HTTPS to protect data.

  2. Step 2: Identify best practice for secure API protection

    Using HTTPS encrypts the entire connection, making base64 encoded credentials safe to transmit.

  3. Final Answer:

    Use HTTPS to encrypt the connection and send base64 encoded credentials in the Authorization header -> Option A

  4. Quick Check:

    Basic Auth + HTTPS = secure transmission [OK]
Hint: Always use HTTPS with Basic Auth for security [OK]
Common Mistakes:
  • Sending credentials over HTTP (not secure)
  • Putting credentials in URL parameters
  • Skipping base64 encoding