Authentication

Basic Auth Policy

The Basic Authentication policy allows you to authenticate incoming requests using the Basic authentication standard. You can configure multiple accounts with different passwords and a different bucket of user 'data'.

The API will expect a Basic Auth header (you can generate samples using this tool). Requests with invalid credentials (or no header) will not be authenticated. Authenticated requests will populate the user property of the ZuploRequest parameter on your RequestHandler.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.


config/policies.json
{
  "name": "my-basic-auth-inbound-policy",
  "policyType": "basic-auth-inbound",
  "handler": {
    "export": "BasicAuthInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "accounts": [
        {
          "data": {
            "name": "John Doe",
            "email": "john.doe@gmail.com"
          },
          "password": "$env(ACCOUNT_JOHN_PASSWORD)",
          "username": "$env(ACCOUNT_JOHN_USERNAME)"
        }
      ],
      "allowUnauthenticatedRequests": false
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.
policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be basic-auth-inbound.
handler.export <string> - The name of the exported type. Value should be BasicAuthInboundPolicy.
handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

accounts (required) <object[]> - An array of account objects (username, password and data properties).
- username (required) <string> - The username for the account (this will be the sub property on request.user.
- password (required) <string> - The password for the account - note we recommend storing this in environment variables.
- data <object> - The data payload you want associated with this account (this will be the data property on request.user).
allowUnauthenticatedRequests <boolean> - If 'true' allows the request to continue even if authenticated. When 'false' (the default) any unauthenticated request is automatically rejected with a 401. Defaults to false.

Using the Policy

Read more about how policies work

Edit this page

Last modified on June 26, 2026

Curity Phantom Token Auth mTLS Auth

Basic Auth Policy

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

config/policies.json

{
  "name": "my-basic-auth-inbound-policy",
  "policyType": "basic-auth-inbound",
  "handler": {
    "export": "BasicAuthInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "accounts": [
        {
          "data": {
            "name": "John Doe",
            "email": "john.doe@gmail.com"
          },
          "password": "$env(ACCOUNT_JOHN_PASSWORD)",
          "username": "$env(ACCOUNT_JOHN_USERNAME)"
        }
      ],
      "allowUnauthenticatedRequests": false
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.

policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be basic-auth-inbound.

handler.export <string> - The name of the exported type. Value should be BasicAuthInboundPolicy.

handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).

handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

accounts (required) <object[]> - An array of account objects (username, password and data properties).

username (required) <string> - The username for the account (this will be the sub property on request.user.
password (required) <string> - The password for the account - note we recommend storing this in environment variables.
data <object> - The data payload you want associated with this account (this will be the data property on request.user).

allowUnauthenticatedRequests <boolean> - If 'true' allows the request to continue even if authenticated. When 'false' (the default) any unauthenticated request is automatically rejected with a 401. Defaults to false.