If you do a google search on "rfc http basic authentication base64," among the 441,000 estimated hits will be a link or two to RFC 2617, which describes http authentication. This is an old document and probably obsolete, but I don't think much has changed. To quote the RFC:
in reply to Question about the credentials method in WWW:Mechanize
To receive authorization, the client sends the userid and password,
separated by a single colon (":") character, within a base64
encoded string in the credentials.