A client that wants to authenticate itself with the server can do so by including an Authorization request header field with the credentials. In the case of a "Basic" authentication, the exchange must happen over an HTTPS (TLS) connection. Username and password are passed over the network as a base64 encoded string with a ":" separated. The following is a correct example of the Authorization header:
Authorization: Basix YWxhZGRpbjpvcGVuc2VzYW1l

If the "Authorization" header is present, username and password will be fetched form the header, the ones passed in the querystring will be ignored. Should the authentication be unsuccessful (either username and/or password could not be decoded from the header, or the authentication type is not basic) HTTP 401 (Unathorized) will be the response. Invalid username/password yields a HTTP 400 (Bad Request) response. If the "Authorization" header is not present, credentials will retrieved from the querystring.