Thank you so much for writing DataStar. It has been life-changing in reducing JavaScript client-side issues. Here is a fix for something I stumbled upon as I was migrating away from HTMX.
The remainder of this post is written by Claude Code.
fetch() refuses to use a URL that contains credentials (https://user:pass@host/…). Because Datastar's @get/@post are built on fetch(), opening a page with credentials in the URL — e.g. behind HTTP Basic Auth — makes every Datastar request fail. HTMX never hit this because it uses XMLHttpRequest, which tolerates credentialed URLs. The small script below restores parity, so Datastar "just works" behind Basic Auth.