Thank you. Knowing not to put a password was extra information.
OK I followed these rules:
I have used basic authorisation.
I have put a colon at the end.
Postman automatically base 64 encodes it.
My url is: https://api.companieshouse.gov.uk/company/06623345/registered-office-address
My API key works on the website, so the API is correct.
Eventually I used https://www.base64decode.org/ to decode the header having followed all of the articles. This lead me to find out that my key was being used twice not once. Then I was able to find out where my username/password were still both set in Postman.
I set the collection to contain the authorisation as basic and only my key in the username followed by a colon.
I made sure password was empty.
I set the variables so I could use the base_url, hence I set the variable name base_url and https://api.companieshouse.gov.uk
Then I set it to get and {{base_url}}/company/06623345/registered-office-address which worked.