diff --git a/src/download.ts b/src/download.ts
index 9355cd3..a5dd851 100644
--- a/src/download.ts
+++ b/src/download.ts
@@ -1,7 +1,7 @@
 import path from 'path';
 import fsp from 'fs/promises';
 
-import { bodyToBuffer, isWriteable } from './util';
+import { bodyToBuffer, getAuthHeader, isWriteable } from './util';
 import { Pointer } from './pointers';
 import { HTTPRequest } from './types';
 
@@ -31,10 +31,7 @@ export default async function downloadBlobFromPointer(
 ): Promise<Buffer> {
 
   const authHeaders: Record<string, string> = auth
-    ? {
-        'Authorization':
-          `Basic ${Buffer.from(`${auth.username}:${auth.password}`).toString('base64')}`,
-      }
+    ? getAuthHeader(auth)
     : {};
 
   // Request LFS metadata
diff --git a/src/util.ts b/src/util.ts
index 4978bf7..7bf89a5 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -1,5 +1,6 @@
 import fs from 'fs/promises';
 import { constants as fsConstants } from 'fs';
+import { BasicAuth } from './types';
 
 export const LFS_POINTER_PREAMBLE = 'version https://git-lfs.github.com/spec/v1\n';
 
@@ -12,6 +13,18 @@ export function pointsToLFS(content: Buffer): boolean {
 }
 
 
+/**
+ * Returns properly encoded HTTP Basic auth header,
+ * given basic auth credentials.
+ */
+export function getAuthHeader(auth: BasicAuth): Record<string, string> {
+  return {
+    'Authorization':
+      `Basic ${Buffer.from(`${auth.username}:${auth.password}`).toString('base64')}`,
+  };
+}
+
+
 /**
  * Returns true if given path is available for writing,
  * regardless of whether or not it is occupied.