What is -u flag on cURL actually doing?

Question

I'm looking at Stripe's cURL example for getting info on an event.

They have me do:

curl https://api.stripe.com/v1/events/evt_123 \
   -u sk_test_somekey:

The documentation for cURL states that -u does USER:PASSWORD.

When I tried sending this as -d or as a query ?, Stripe's API says that I'm missing a header. This doesn't seem right.

I don't understand the lack of password after the username, either. If I send that cURL without the :, I am prompted for a password. Hitting enter (no characters inputted), gets me the expected response.

So, what exactly is -u doing so I can imitate this call in my code?

leaving out the password (no colon) will have curl prompt for it. With just a colon it means a zero-length password. — Daniel Stenberg, Feb 16 '16 at 21:15

Aaron Brager · Accepted Answer · 2022-09-14T22:06:02.160

curl -u encodes the username:password string into a base-64 string which is passed in the Authorization header, like so:

GET / HTTP/1.1
Host: example.com
Accept: text/html
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

This isn't easy to skim, but it's not encryption either. Anyone with a base 64 decoder can see the username and password, so make sure you set up HTTPS with a modern version of TLS.

Your HTTP library probably has a function that does this for you.

What is -u flag on cURL actually doing?

1 Answers1

Linked