curl -u encodes the username:password string into a base-64 string which is passed in the Authorization header, like so:
GET / HTTP/1.1
Host: example.com
Accept: text/html
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
This isn’t easy to skim, but it’s not encryption either. Anyone with a base 64 decoder can see the username and password, so make sure you set up HTTPS with a modern version of TLS.
Your HTTP library probably has a function that does this for you.