OH NO sorry, I also fell in the same confusion: the credentials have to be encoded in Base64 alone, the whole intention of auth_key_sha256 is just so you don’t write credentials in clear text in readonlyrest.yml.
Basically the header should be -H’Authorization: Basic base64encode(user:pass)’
And you should have the SHA256 hash as a auth_key_sha256 rule value.