How to use Basic authentication in wget

Basic authentication still appears on internal artifact stores, small APIs, and legacy download endpoints that protect a URL with a username and password. In wget, that keeps the request easy to repeat from a shell, scheduler, or deployment job without switching to a browser first.

On a normal Basic-auth exchange, wget requests the URL, receives a 401 Unauthorized response with a WWW-Authenticate: Basic challenge, and then retries with an Authorization header when credentials are available. Some older gateways never send that challenge, which is when --auth-no-challenge matters.

Basic auth should stay on trusted HTTPS endpoints because the scheme itself does not protect the password in transit. Passwords typed on the command line can also leak through process listings, shell history, and debug logs, so prompted entry is safer for one-off access than copying secrets into every command.

Related: How to authenticate with a bearer token in wget

Steps to use Basic authentication in wget:

  1. Probe the endpoint once without credentials to confirm that it is issuing a Basic-auth challenge. 
    $ wget --spider --server-response https://packages.example.net/api/v1/artifacts/current
Spider mode enabled. Check if remote file exists.
##### snipped #####
  HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="Package API"
 
Username/Password Authentication Failed.

    A visible WWW-Authenticate: Basic header confirms that the server expects the normal challenge-response flow.

  2. Send the request with a username and password when a one-off authenticated fetch is acceptable. 
    $ wget -qO- --user='svc-release-reader' --password='MASKED_BASIC_SECRET' https://packages.example.net/api/v1/artifacts/current
{
  "authenticated": true,
  "user": "svc-release-reader"
}

    Literal passwords on the command line are visible to local process inspection, so avoid this form on shared systems.

  3. Prompt for the password interactively when the username can stay visible but the password should not appear in the command text. 
    $ wget -qO- --user='svc-release-reader' --ask-password https://packages.example.net/api/v1/artifacts/current
Password for user 'svc-release-reader':
{
  "authenticated": true,
  "user": "svc-release-reader"
}

    --ask-password keeps the password out of the command itself, and --use-askpass fits the same job when an askpass helper is already in place.

  4. Add --auth-no-challenge only when the server accepts Basic auth but never sends the normal challenge header. 
    $ wget -qO- --auth-no-challenge --user='svc-release-reader' --password='MASKED_BASIC_SECRET' https://legacy-gateway.example.net/session/health
{
  "authenticated": true,
  "user": "svc-release-reader"
}

    Preemptive Basic auth sends credentials on the first request, so keep it limited to servers that require it and use trusted HTTPS transport.