Authentication is a critical component of API security and interaction. HTTP Basic Authentication is one of the simplest authentication schemes, involving sending a username and password with your request. cURL provides native support for this via the -u flag (or --user), which accepts credentials in the format username:password. When you use this flag, cURL automatically encodes the credentials using Base64 encoding and constructs the appropriate Authorization header in the format Authorization: Basic <base64-encoded-credentials>. This header is then sent with every request. Basic Auth is widely supported but should only be used over HTTPS connections since the Base64 encoding is easily reversible—it's encoding, not encryption. Some servers also support Digest Authentication (a more secure challenge-response mechanism), which you can use with the --digest flag combined with -u.

Modern APIs predominantly use token-based authentication, most commonly OAuth 2.0 Bearer tokens or JSON Web Tokens (JWTs). These tokens are typically obtained through a separate authentication flow and then included in subsequent requests. Unlike Basic Auth, cURL doesn't have a dedicated flag for Bearer tokens—you manually add the header using -H "Authorization: Bearer <your-token>". The token is included as-is in the header without additional encoding. Bearer tokens are generally more secure than Basic Auth because they can be scoped to specific permissions, have expiration times, can be revoked independently of user credentials, and don't require sending actual passwords with each request. Many APIs return these tokens from login endpoints, which you then store and reuse for authorized requests.

Security best practices are paramount when handling credentials. Typing passwords directly on the command line is dangerous because most shells save command history to files (like ~/.bash_history), potentially exposing your credentials to anyone with access to your system or to other processes that can read your shell history. Better approaches include: using environment variables to store credentials (-u "$USERNAME:$PASSWORD"), using a .netrc file in your home directory which cURL can read automatically with the -n flag (this file stores credentials per host and should have restrictive permissions like 600), prompting for passwords interactively by omitting the password part (-u username), which causes cURL to securely prompt for the password without echoing it to the screen or saving it in history, or using credential managers and secret stores in production environments. For testing and development, consider using API keys or temporary tokens instead of actual user credentials whenever possible.