Why should you base64 encode the Authorization header?

Question

Twitter's API requires sending an Authorization header that is a base64 encoding of an API key concatenated with an API secret key. In Node, I use:

var base64 = new Buffer(apiKey + ':' + apiSecret).toString('base64');

The header sent becomes:

Authorization: 'Basic ' + base64

What is the point of base64 encoding the string "apiKeyHere:apiSecretHere"? Why not just accept an Authorization header containing the raw api credentials?

This question is similar to What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication? but the voted answer doesn't fully answer my question. Twitter's api key and api secret key are already HTTP compatible characters. They look something like this (these are not real):

Consumer Key (API Key) 8dme3utVQfOhlPk5BUG9XbFxR

Consumer Secret (API Secret) QFZXoC7MP72JZtGMBNpjLGI4Vl1xr1q9dyPLp3u7jGtkESpbLm

So why base64 encode it? Furthermore, that post states "the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible." Wouldn't a username and password already be HTTP compatible characters?

Answer 1

The Basic Authentication Scheme is described in the RFC7617 (and the old RFC2617).

This is a standard way to send password credentials to the server. The base64 encoding is used to encode credentials to allow non HTTP characters and multibytes strings to be sent.

Answer 2

By default, message header field parameters in Hypertext Transfer Protocol (HTTP) messages cannot carry characters outside the ISO- 8859-1 character set.

If user name and password contains incompatible charset than HTTP would not be able to carry those text. to prevent from this we encode user name and password with base64 to make sure we are sending HTTP compatible char over HTTP. for more information see this Basic_access_authentication