Welcome to a tutorial on how to do a PHP CURL call with HTTP basic authentication. Need to secure a server-to-server call without all the crazy encryption, verification, and login stuff? HTTP basic authentication is a good option.
To perform a PHP CURL call with HTTP basic authentication, we have to set the user and password in the CURL options.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "HTTP://SITE.COM");
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "USER:PASSWORD");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
That should cover the basics, but read on for an actual example.
ⓘ I have included a zip file with all the source code at the start of this tutorial, so you don’t have to copy-paste everything… Or if you just want to dive straight in.
TLDR – QUICK SLIDES
Fullscreen Mode – Click Here
TABLE OF CONTENTS
DOWNLOAD & NOTES
Firstly, here is the download link to the example code as promised.
QUICK NOTES
- This example is based on a XAMPP server.
- Edit
protected/.htaccess
, changeAuthUserFile
to your own file path – The default user and password inprotected/.htpasswd
isUSER
andPASS
. - Edit
CURL-auth.php
, change$url
to your own.
EXAMPLE CODE DOWNLOAD
Click here to download all the example source code, I have released it under the MIT license, so feel free to build on top of it or use it in your own project.
PHP CURL WITH HTTP AUTH
All right, let us now get into the example of CURL with HTTP basic authentication.
SERVER A) PHP CURL CALL
<?php
// (A) THE SETTINGS
$url = "http://localhost/protected/secret.php";
$user = "USER";
$password = "PASS";
// (B) CURL INIT
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$user:$password");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
if (substr($url, 0, 5)=="https") {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
}
// (C) CURL EXEC
// NOTE: HTTP RESPONSE CODE 200 = OK
$result = curl_exec($ch);
if (curl_errno($ch)) { echo curl_error($ch); }
else {
$info = curl_getinfo($ch);
if ($info["http_code"] != 200) { print_r($info); }
else { echo $result; }
}
curl_close($ch);
This should be pretty self-explanatory.
- As in the introduction, all we need is to set CURL options (
CURLOPT_HTTPAUTH
andCURLOPT_USERPWD
) accordingly. - If you are having trouble with SSL (
https://
), try disabling the peer verification –curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false)
. - Take note of the “fetch results” part, we can use
curl_getinfo()
to get more information on the server response. Importantly, check thehttp_code
– A failed authentication will usually return 401 (unauthorized).
SERVER B) PROTECTED FOLDER
This is a small extra for you guys who are running Apache, and do not know how to secure folders with basic HTTP auth.
- Apache web servers come with a tool called
htpasswd
and we can use it to generate a user/password file –htpasswd -c "PATH/FOLDER/.htpasswd" USER
. - Next, create a
.htaccess
file in the folder that you want to protect.AuthType Basic
AuthName "Password Required"
AuthUserFile PATH/FOLDER/.htpasswd
Require valid-user
That’s all.
EXTRA BITS & LINKS
That’s all for the main tutorial, and here is a small section on some extras and links that may be useful to you.
LINKS & REFERENCES
- CURL Options – PHP
- Basic Authentication and Authorization – Apache
- htpasswd – Manage user files for basic authentication
- Basic Authentication For IIS – Microsoft
- Basic Authentication For NGINX
INFOGRAPHIC CHEAT SHEET

THE END
Thank you for reading, and we have come to the end. I hope that it has helped you to better understand, and if you want to share anything with this guide, please feel free to comment below. Good luck and happy coding!