Basic Auth Policy

The Basic Authentication policy allows you to authenticate incoming requests using the Basic authentication standard. You can configure multiple accounts with different passwords and a different bucket of user 'data'.

The API will expect a Basic Auth header (you can generate samples here). Requests with invalid credentials (or no header) will not be authenticated. Authenticated requests will populate the user property of the ZuploRequest parameter on your RequestHandler.


The configuration shows how to configure the policy in the 'policies.json' document.

{ "name": "my-basic-auth-inbound-policy", "policyType": "basic-auth-inbound", "handler": { "export": "BasicAuthInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "accounts": [ { "data": { "name": "John Doe", "email": "john.doe@gmail.com" }, "password": "$env(ACCOUNT_JOHN_PASSWORD)", "username": "$env(ACCOUNT_JOHN_USERNAME)" } ], "allowUnauthenticatedRequests": false } } }

Policy Configuration

  • name <string> - The name of your policy instance. This is used as a reference in your routes.
  • policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be basic-auth-inbound.
  • handler.export <string> - The name of the exported type. Value should be BasicAuthInboundPolicy.
  • handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
  • handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • accounts <object[]> (Required) -
    An array of account objects (username, password and data properties).
    • username <string> (Required) -
      The username for the account (this will be the `sub` property on `request.user`.
    • password <string> (Required) -
      The password for the account - note we recommend storing this in environment variables.
    • data <object> -
      The data payload you want associated with this account (this will be the `data` property on `request.user`).
  • allowUnauthenticatedRequests <boolean> -
    If 'true' allows the request to continue even if authenticated. When 'false' (the default) any unauthenticated request is automatically rejected with a 401.
    Defaults to false.

Using the Policy

Read more about how policies work

Curity Phantom Token Auth