HTTP Basic Authentication

How It Works

HTTP Basic Authentication encodes username:password as a Base64 string and sends it in the Authorization header with every request.

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

The server decodes the header, extracts the credentials, and validates them. There is no session, no token, no state — every request carries the full credentials.

Base64 is encoding, not encryption. Anyone who intercepts the header can decode it instantly:

echo 'dXNlcm5hbWU6cGFzc3dvcmQ=' | base64 -d
# username:password

This is why Basic Auth without HTTPS is equivalent to sending credentials in plaintext.

curl Examples

Inline Credentials

curl -s -k -u admin:SecretPass123 \
  -H "Accept: application/json" \
  https://api.example.com/v1/resources

curl handles the Base64 encoding internally when you pass -u user:pass.

Pre-encoded Header

Some scripts compute the header directly to avoid shell escaping issues with special characters in passwords:

# Encode once
TOKEN=$(printf '%s:%s' "$API_USER" "$API_PASS" | base64)

# Use in requests
curl -s -k \
  -H "Authorization: Basic ${TOKEN}" \
  -H "Accept: application/json" \
  https://api.example.com/v1/resources

ISE ERS Example

curl -s -k -u "${ISE_ERS_USER}:${ISE_ERS_PASS}" \
  -H "Accept: application/json" \
  https://ise-01.inside.domusdigitalis.dev:9060/ers/config/endpoint

When to Use

  • Internal APIs behind a VPN or firewall where TLS terminates at a trusted boundary

  • Legacy systems that predate OAuth2 (many enterprise appliances)

  • Quick prototyping where token management adds unnecessary complexity

  • Cisco ISE ERS API — Basic Auth is the only supported method

When to Avoid

  • Public-facing APIs (credential reuse risk)

  • APIs where you need scoped permissions (Basic Auth is all-or-nothing)

  • High-frequency automation without connection pooling (credentials decoded on every request)

Security Considerations

  • Always use HTTPS. Basic Auth over HTTP exposes credentials to any network observer.

  • Never embed credentials in scripts. Use environment variables or a secrets manager.

  • Rotate credentials regularly. Basic Auth credentials tend to be long-lived and forgotten.

  • Use dedicated API accounts. Never authenticate API calls with a personal admin account.

dsec Pattern

Store the credentials in an encrypted environment file:

# Edit the secrets file
dsec edit d000 dev/network

Inside the encrypted file, define:

ISE_ERS_USER=ers-admin
ISE_ERS_PASS=your-secret-password
ISE_HOST=ise-01.inside.domusdigitalis.dev

Load before use:

dsource d000 dev/network

# Verify loaded
echo "$ISE_ERS_USER"    # ers-admin

# Clean up when done
dsunsource

netapi Pattern

netapi reads Basic Auth credentials from the environment or CLI flags:

# From environment (after dsource)
netapi --auth basic ise ers endpoints list

# Explicit flags (override environment)
netapi --auth basic --user admin --pass secret ise ers endpoints list

Under the hood, netapi constructs the Authorization: Basic <base64> header identically to the curl examples above.

Environment Variables

Variable Purpose

ISE_ERS_USER

Username for ISE ERS Basic Auth

ISE_ERS_PASS

Password for ISE ERS Basic Auth

NETAPI_BASIC_USER

Generic Basic Auth username (any vendor)

NETAPI_BASIC_PASS

Generic Basic Auth password (any vendor)

Vendor-specific variables take precedence over generic ones.

Constructing the Header Manually

If you need to understand what is happening at the wire level:

# Step 1: Concatenate user:pass
CREDS="admin:SecretPass123"

# Step 2: Base64 encode
ENCODED=$(printf '%s' "$CREDS" | base64)
echo "$ENCODED"
# YWRtaW46U2VjcmV0UGFzczEyMw==

# Step 3: Send as header
curl -s -k \
  -H "Authorization: Basic ${ENCODED}" \
  -H "Accept: application/json" \
  https://api.example.com/v1/resources

Note the use of printf instead of echo — echo may append a newline on some systems, corrupting the Base64 output.