In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes. (Source: wikipedia)
Basic Authentication is a standard authentication mechanism supported by every standards-compliant http server, it is also supported by almost every single web browser, which makes it an excellent access control method for smaller APIs.
However, a serious drawback of Basic Authentication is that credentials are transferred in encoded plaintext over the wire, this can be a serious concern for API owners and should therefore only ever be used in conjunction with TLS such as SSL.
A basic auth request will have an
Authorization header where the value will be of the form:
This means a real request would look something like:
GET /api/widgets/12345 HTTP/1.1 Host: localhost:8080 Authorization: Basic am9obkBzbWl0aC5jb206MTIzNDU2Nw== Cache-Control: no-cache
In the above example the username is
[email protected] and the password is
Tyk supports using basic authentication as an access key in the same way as any other access method.