HomeTyk Open Source API Gateway v2.xAccess ControlBasic Authentication

Basic Authentication

Basic Authentication is a standard authentication mechanism supported by every standards-compliant http server, it is also supported by almost every single web browser, which makes it an excellent access control method for smaller APIs.

However, a serious drawback of Basic Authentication is that credentials are transferred in encoded plaintext over the wire, this can be a serious concern for API owners and should therefore only ever be used in conjunction with TLS such as SSL.

A basic auth request will have an Authorization header where the value will be of the form:

Basic base64Encode(username:password)

This means a real request would look something like:

GET /api/widgets/12345 HTTP/1.1
Host: localhost:8080
Authorization: Basic am9obkBzbWl0aC5jb206MTIzNDU2Nw==
Cache-Control: no-cache

In the above example the username is [email protected] and the password is 1234567

Tyk supports using basic authentication as an access key in the same way as any other access method. To enable a key as a basic auth key, certain fields in a user session need to be enabled, and the API Definition needs to be set up to allow basic auth.

to get started, lets set up an API for basic auth – this is what the important parts of your definition should look like:

    "name": "Tyk Test API",
    "use_basic_auth": true,
    "use_keyless": false,
    "use_oauth2": false,
    "auth": {
        "auth_header_name": ""

In this example we have explicitly set other methods to false and cleared fields – in reality you do not need to set use_keyless and use_oauth2 to false as they will default to false if unset, this example is just being explicit in the case that you are converting a configuration to use basic auth.

For a user session object, to enable basic auth, simply set the relevant fields in the session:

    "hmac_enabled": false,
    "hmac_string": "",
    "basic_auth_data": {
        "password": "mickey-mouse"

Notice the basic_auth_data section – this is all that is really required, if an API is basic auth enabled, any keys that are retrieved will check this field for a password and compare it to the password encoded in the request.

A note on creating basic auth keys

Basic authentication keys are not created the same way as other keys, since the key ID is not generated by the system a basic auth key cannot use the /tyk/keys/create endpoint, and instead should POST to /tyk/keys/{username}, this will ADD a key to the system. Subsequent requests will overwrite this entry, sending a PUT request will update the entry.

Please see the Tyk REST API documentation for full details on each of the endpoints and how they work.

Was this article helpful to you? Yes No