special - Using cURL with a username and password?

curl--user (9)

I had the same need in bash (Ubuntu 16.04 LTS) and the commands provided in the answers failed to work in my case. I had to use:

curl -X POST -F 'username="$USER"' -F 'password="$PASS"' "http://api.somesite.com/test/blah?something=123"

Double quotes in the -F arguments are only needed if you're using variables, thus from the command line ... -F 'username=myuser' ... will be fine.

I would be glad if a comment or edit can explain why!

I want to access a URL which requires a username/password. I'd like to try accessing it with curl. Right now I'm doing something like:

curl http://api.somesite.com/test/blah?something=123

I get an error. I guess I need to specify a username and password along with the above command.

How can I do that?

If you are on a system that has Gnome keyring app a solution that avoids exposing the password directly is to use gkeyring.py to extract the password from the keyring:

pass=$(gkeyring.py -k login -tnetwork -p user=$user,server=$server -1)

curl -u $user:$pass ftps://$server/$file -O

Or the same thing but different syntax

curl http://username:[email protected]/test/blah?something=123

Other answers have suggested netrc to specify username and password, based on what I've read, I agree. Here are some syntax details:


Like other answers, I would like to stress the need to pay attention to security regarding this question.

Although I am not an expert, I found these links insightful:


To summarize:

Using the encrypted versions of the protocols (HTTPS vs HTTP) (FTPS vs FTP) can help avoid Network Leakage.

Using netrc can help avoid Command Line Leakage.

To go a step further, it seems you can also encrypt the netrc files using gpg


With this your credentials are not "at rest" (stored) as plain text.

To let the password least not pop up in your .bash_history:

curl -u user:$(cat .password-file) http://example-domain.tld

To securely pass the password in a script (i.e. prevent it from showing up with ps auxf or logs) you can do it with the -K- flag (read config from stdin) and a heredoc:

curl --url url -K- <<< "--user user:password"

You can also just send the user name by writing:

curl -u USERNAME http://server.example

Curl will then ask you for the password, and the password will not be visible on the screen (or if you need to copy/paste the command).

curl -X GET -u username:password  {{ http://www.example.com/filename.txt }} -O