Basic Authentication With Postman – 用Postman进行基本认证

最后修改: 2022年 9月 13日

1. Overview


In this tutorial, we’ll learn how to use Postman to test an endpoint secured with Basic Authentication.


We’ll see how to use the “Authorization” tab to generate the header based on the raw credentials. After that, we’ll learn how to do it manually. Finally, we’ll see how Postman Interceptor works and how it can come in handy.


2. Basic Authentication


Basic Authentication is a method of securing HTTP requests through a special header:


Authorization: Basic <credentials>

To generate the credentials token, we need to write the username and password, joined by the semicolon character. After that, we need to encode the resulting string with Base64.


Let’s assume the username is “admin” and the password is “baeldung“. First, we’ll create the credentials string, which will be “admin:baeldung“. Then, we’ll encode it with Base64, add the “Basic” keyword, and set it as the header’s value:


Authorization: Basic YWRtaW46YmFlbGR1bmc=

3. Authorization Tab


Firstly, let’s send a GET request to a Basic Auth-secured endpoint and expect an Unauthorized status for the response:

首先,让我们向Basic Auth-secured端点发送一个GET请求,并期望响应为Unauthorized状态。


postman unauthorized

Now, let’s add the credentials. To do this, we simply go to the “Authorization” tab and select “Basic Auth” as the authorization type. After that, we insert the username and password and we’re all set:

现在,让我们来添加凭证。要做到这一点,我们只需进入”Authorization“标签,选择”Basic Auth“作为授权类型。之后,我们插入用户名和密码,我们就完成了。


postman authorization tab 1

Consequently, we can see that the request was authorized and the response code is 200. Furthermore, if we click on the “code” link, we can see how the authorization header was now added to the request:


GET /postman-test HTTP/1.1
Host: localhost:8080
Authorization: Basic YWRtaW46YmFlbGR1bmc=
Cache-Control: no-cache
Postman-Token: 6ad07f7c-4846-9c3f-2a3e-b24e8d2273ad

4. Adding the Header Manually


Postman allows us to manually add headers. As a result, we can add the authorization header directly, if we already have the credentials token.


We can do this from the “Headers” tab. First, we set “Authorization” as the key. After that, we’ll add the credentials token:



postman unauthorized 2

If we inspect the HTTP request, we’ll see that nothing differs from the previous one.


5. Postman Interceptor


Postman Interceptor is a Chrome extension that allows us to bind the Postman application to a browser session. In other words, it allows Postman to execute requests on behalf of the user who is logged in on the browser.


Firstly, we need to download and install the Chrome extension. After that, we enable the interceptor from the Postman application, by clicking on the satellite icon:



interceptor 1

Now, the Postman application is bonded with the browser session. If we navigate the web, we’ll be able to see all the requests in Postman’s “History” tab. However, if we try to execute the GET request now, we’ll still get the 401 Unauthorized response because we haven’t logged in yet.

现在,Postman应用程序已经与浏览器会话结合在一起。如果我们浏览网页,我们将能够在Postman的”History“标签中看到所有的请求。但是,如果我们现在尝试执行GET请求,我们仍然会得到401 Unauthorized响应,因为我们还没有登录。

Let’s use the browser to navigate to the Basic Auth-secured page:



interceptor 2

After we sign in using the browser pop-up, we can go back to Postman and execute the request again. This time, the request will be authorized.


6. Conclusion


In this article, we learned how Basic Authentication works and explored various ways of testing a secured endpoint with Postman.


We saw how we can manually add the Authorization header, and how to use Postman to generate it based on raw credentials. Finally, we learned about Postman Interceptor and we discovered that we can use it to send requests on behalf of the user logged in from the browser.


As always, the source code and Postman collection are available over on GitHub.