Basic authentication still appears on internal package feeds, appliance downloads, and small HTTP endpoints where a single username and password protect a URL space. In wget, that keeps the workflow easy to automate because the same request can be replayed from a shell, a scheduler, or a deployment job without opening a browser.

On a normal Basic-auth exchange, wget first requests the URL, receives a 401 Unauthorized response with a WWW-Authenticate: Basic challenge, and then retries with an Authorization header derived from the supplied credentials. That challenge-response pattern matters because some older or unusual servers never send the challenge and only work when Basic auth is sent immediately.

Basic auth is only an encoding step over HTTP, not a protection mechanism by itself, and literal passwords on the command line are easy to leak through shell history, process listings, and copied terminal logs. Prompted entry or a tightly permissioned config file is safer for recurring use than pasting secrets into every command.

Related: How to authenticate with a bearer token in wget

Steps to use Basic authentication in wget:

  1. Probe the endpoint once without credentials to confirm that it is issuing a Basic auth challenge. 
    $ wget --spider --server-response \
  https://packages.example.net/api/v1/artifacts/current 2>&1
Spider mode enabled. Check if remote file exists.
##### snipped #####
  HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="Package API"
 
Username/Password Authentication Failed.

    A visible WWW-Authenticate: Basic header confirms that the server expects the normal challenge-response Basic flow.

  2. Authenticate with --user and --password when a one-off artifact check is acceptable. 
    $ wget -S -O - \
  --user='svc-release-reader' \
  --password='MASKED_RELEASE_READER_PASSWORD' \
  https://packages.example.net/api/v1/artifacts/current 2>&1
##### snipped #####
  HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="Package API"
Authentication selected: Basic realm="Package API"
##### snipped #####
  HTTP/1.1 200 OK
{
  "channel": "current",
  "download_authorized": true,
  "principal": "svc-release-reader"
}

    Literal passwords are easy to automate, but they are also easy to expose through history files and process inspection.

  3. Prompt for the password interactively when the username can stay visible but the password should not appear on the command line. 
    $ wget -qO- --user='svc-release-reader' --ask-password \
  https://packages.example.net/api/v1/artifacts/current
Password for user 'svc-release-reader':
{
  "channel": "current",
  "download_authorized": true,
  "principal": "svc-release-reader"
}

    --ask-password keeps the password out of the command text, and --use-askpass fits the same job when a launcher or helper program should supply the secret.

  4. Send credentials immediately with --auth-no-challenge only for servers that never issue a Basic challenge. 
    $ wget -qO- \
  --auth-no-challenge \
  --user='svc-legacy-reader' \
  --password='MASKED_LEGACY_READER_PASSWORD' \
  https://legacy-gateway.example.net/session/health | jq .
{
  "service": "session-gateway",
  "status": "ok",
  "principal": "svc-legacy-reader"
}

    Preemptive Basic auth sends the credentials on the first request, so keep it limited to servers that require it and use trusted HTTPS transport.

  5. Persist recurring HTTP credentials in /$HOME/.wgetrc only for tightly controlled automation accounts. 
    $ printf '%s\n' \
  'http_user = svc-artifact-sync' \
  'http_password = MASKED_ARTIFACT_SYNC_PASSWORD' > ~/.wgetrc
$ chmod 600 ~/.wgetrc
$ wget -qO- https://packages.example.net/api/v1/artifacts/nightly | jq .
{
  "channel": "nightly",
  "download_authorized": true,
  "principal": "svc-artifact-sync"
}

    Plain-text credentials in /$HOME/.wgetrc simplify scheduled jobs, but the file must stay private and should be avoided on shared systems.

    Related: How to configure default options in ~/.wgetrc