curl -u / --user: Basic Authentication
-u sends basic auth, and how you pass the password decides how safe it is.
Basic auth is still common for registries, internal services, and some webhook endpoints. -u is the flag, with a couple of safer variants.
What it does
-u / --user <user>:<password> sends HTTP Basic authentication by base64-encoding the credentials into the Authorization header. If you give only the user and a colon, curl prompts for the password interactively (which fails in CI). You can also store credentials in a .netrc file and use -n / --netrc to avoid putting them on the command line.
Common usage
curl -u "$USER:$PASS" https://api.example.com/x
curl -u "ci-bot:$TOKEN" https://registry.example.com/v2/_catalog
curl --netrc https://api.example.com/x # read creds from ~/.netrc
curl --netrc-file ./ci-netrc https://api.example.com/xFlags
| Flag | What it does |
|---|---|
| -u <user>:<pass> | Send basic auth credentials |
| -u <user> | User only; curl prompts for the password (breaks in CI) |
| -n / --netrc | Read credentials from ~/.netrc |
| --netrc-file <f> | Read credentials from a specific netrc file |
| --basic | Force basic auth (the default scheme) |
In CI
Avoid the user-only form on a runner: with no TTY, the password prompt fails or hangs. Pass full credentials from secrets, or use a netrc file written from secrets so the password never appears in the process list or shell history.
Common errors in CI
A hang or curl: (52) Empty reply can follow a -u user-only call waiting for a prompt that never comes. A 401 means the credentials are wrong or the endpoint expects bearer auth instead of basic; check the API docs.