1. Home
  2. Tyk Open Source API Gateway v2.x
  3. Access Control
  4. Basic Authentication

Basic Authentication

Basic Authentication is a standard authentication mechanism supported by every standards-compliant http server, it is also supported by almost every single web browser, which makes it an excellent access control method for smaller APIs.

However, a serious drawback of Basic Authentication is that credentials are transferred in encoded plaintext over the wire, this can be a serious concern for API owners and should therefore only ever be used in conjunction with TLS such as SSL.

A basic auth request will have an Authorization header where the value will be of the form:

Basic base64Encode(username:password)

This means a real request would look something like:

GET /api/widgets/12345 HTTP/1.1
Host: localhost:8080
Authorization: Basic am9obkBzbWl0aC5jb206MTIzNDU2Nw==
Cache-Control: no-cache

In the above example the username is [email protected] and the password is 1234567

Tyk supports using basic authentication as an access key in the same way as any other access method. To enable a key as a basic auth key, certain fields in a user session need to be enabled, and the API Definition needs to be set up to allow basic auth.

to get started, lets set up an API for basic auth – this is what the important parts of your definition should look like:

{
    "name": "Tyk Test API",
    ...
    "use_basic_auth": true,
    "use_keyless": false,
    "use_oauth2": false,
    "auth": {
        "auth_header_name": ""
    },
    ...
}

In this example we have explicitly set other methods to false and cleared fields – in reality you do not need to set use_keyless and use_oauth2 to false as they will default to false if unset, this example is just being explicit in the case that you are converting a configuration to use basic auth.

For a user session object, to enable basic auth, simply set the relevant fields in the session:

{
    ...
    "hmac_enabled": false,
    "hmac_string": "",
    "basic_auth_data": {
        "password": "mickey-mouse"
    }
    ...
}

Notice the basic_auth_data section – this is all that is really required, if an API is basic auth enabled, any keys that are retrieved will check this field for a password and compare it to the password encoded in the request.

A note on creating basic auth keys

Basic authentication keys are not created the same way as other keys, since the key ID is not generated by the system a basic auth key cannot use the /tyk/keys/create endpoint, and instead should POST to /tyk/keys/{username}, this will ADD a key to the system. Subsequent requests will overwrite this entry, sending a PUT request will update the entry.

Please see the Tyk REST API documentation for full details on each of the endpoints and how they work.