PHP: Using cURL with Basic HTTP Authentication.

This is a short PHP tutorial on how to use cURL to make a Basic Access Authentication request. In this post, I will show you how to configure PHP’s cURL functions to access a web resource that is protected by basic HTTP authentication.

401 Unauthorized.

If you send a cURL request to a URL that is protected by HTTP authentication, the response will probably look something like this:

401 Unauthorized: You need a valid user and password to access this content.

The issue here is that the resource is protected and you did not provide a valid username and password. As a result, the server responded with a 401 Unauthorized response.

Using the CURLOPT_USERPWD option.

To solve this, we can use the CURLOPT_USERPWD option. This option allows us to tell cURL what username and password to use while making the request.

An example of it being used:

//The URL of the resource that is protected by Basic HTTP Authentication.
$url = '';

//Your username.
$username = 'myusername';

//Your password.
$password = 'mypassword';

//Initiate cURL.
$ch = curl_init($url);
//Specify the username and password using the CURLOPT_USERPWD option.
curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password);  

//Tell cURL to return the output as a string instead
//of dumping it to the browser.
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

//Execute the cURL request.
$response = curl_exec($ch);
//Check for errors.
    //If an error occured, throw an Exception.
    throw new Exception(curl_error($ch));

//Print out the response.
echo $response;

Pretty simple, right?

In the example above, we set the username and password using the CURLOPT_USERPWD option. As a result, our cURL client will end up sending the following header:

Authorization: Basic bXl1c2VybmFtZTpteXBhc3N3b3Jk

A few notes:

  • In some cases, the resource in question might be expecting a POST request. Therefore, you might need to change the request above from a GET request to a POST request.
  • The CURLOPT_USERPWD option sends the username and password combination in a base64 format. This means that a combination of “MyUsername:MyPassword” will become “TXlVc2VybmFtZTpNeVBhc3N3b3Jk”. However, it is important to note that base64 does not make this request any more secure. Therefore, it is advisable that you configure both the cURL client and the server to use SSL. This is to prevent man-in-the-middle attacks.
  • Other options may need to be configured depending on your situation. In other words, the code above might not work “straight out of the box”.


Alternatively, you can use the CURLOPT_HTTPHEADER, which allows you manually create headers. In the example below, we manually set the Content-Type and Authorization headers:

//HTTP username.
$username = 'myusername';
//HTTP password.
$password = 'mypassword';
//Create the headers array.
$headers = array(
    'Content-Type: application/json',
    'Authorization: Basic '. base64_encode("$username:$password")
//Set the headers that we want our cURL client to use.
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

The code above should be used in lieu of the CURLOPT_USERPWD option.

Hopefully, you found this guide to be useful!