Skip to main content

Version: 3.10.x

a7-plugin-basic-auth

Overview

The basic-auth plugin authenticates requests using HTTP Basic Authentication (RFC 7617). Consumers register a username and password. Clients send credentials in the Authorization: Basic <base64> header. API7 EE decodes and validates against consumer credentials, then forwards the request with consumer identity headers.

When to Use

  • Simple username/password authentication for APIs
  • Quick protection for internal or development APIs
  • Integration with tools that natively support HTTP Basic Auth (browsers, curl, Postman)

Plugin Configuration Reference (Route/Service)

FieldTypeRequiredDefaultDescription
hide_credentialsbooleanNofalseRemove Authorization header before forwarding upstream
anonymous_consumerstringNoConsumer username for unauthenticated requests
realmstringNo"basic"Realm in WWW-Authenticate response header on 401

Consumer Credential Reference

FieldTypeRequiredDescription
usernamestringYesUnique username for the consumer
passwordstringYesPassword for the consumer. Auto-encrypted in the database.

Step-by-Step: Enable basic-auth on a Route

1. Create a consumer

a7 consumer create -g default -f - <<'EOF'
{
"username": "alice"
}
EOF

2. Add basic-auth credential

curl -k "https://$(a7 context current -o json | jq -r .server):7443/apisix/admin/consumers/alice/credentials" \
-X PUT \
-H "X-API-KEY: $(a7 context current -o json | jq -r .token)" \
-d '{
"id": "cred-alice-basic-auth",
"plugins": {
"basic-auth": {
"username": "alice",
"password": "alice-password-123"
}
}
}'

3. Create a route with basic-auth enabled

a7 route create -g default -f - <<'EOF'
{
"id": "basic-protected",
"uri": "/api/*",
"plugins": {
"basic-auth": {}
},
"upstream": {
"type": "roundrobin",
"nodes": [{"host": "backend", "port": 8080, "weight": 1}]
}
}
EOF

4. Verify authentication

# Using curl -u flag (sends Authorization: Basic header)
curl -i http://127.0.0.1:9080/api/users -u alice:alice-password-123

# Using explicit header (base64 of "alice:alice-password-123")
curl -i http://127.0.0.1:9080/api/users \
-H "Authorization: Basic YWxpY2U6YWxpY2UtcGFzc3dvcmQtMTIz"

# Should fail (401)
curl -i http://127.0.0.1:9080/api/users

Common Patterns

Hide credentials from upstream

{
"plugins": {
"basic-auth": {
"hide_credentials": true
}
}
}

The Authorization header is stripped before reaching the backend. Always enable this in production to prevent credential leakage.

Anonymous consumer with rate limiting

a7 consumer create -g default -f - <<'EOF'
{
"username": "anonymous",
"plugins": {
"limit-count": {
"count": 10,
"time_window": 60,
"rejected_code": 429
}
}
}
EOF
{
"plugins": {
"basic-auth": {
"anonymous_consumer": "anonymous"
}
}
}

Requests with valid credentials → authenticated consumer. Requests without credentials → anonymous consumer with rate limits.

Headers Added to Upstream

HeaderValue
X-Consumer-UsernameConsumer's username
X-Credential-IdentifierCredential ID
X-Consumer-Custom-IdConsumer's labels.custom_id (if set)
AuthorizationOriginal header (unless hide_credentials: true)

Troubleshooting

SymptomCauseFix
401 UnauthorizedMissing or wrong credentialsCheck username/password; ensure base64 encoding is correct
Credentials visible in upstream logshide_credentials is falseSet hide_credentials: true
Browser not prompting login dialogMissing WWW-Authenticate headerVerify plugin is enabled; check realm setting
Anonymous users not workinganonymous_consumer not setCreate consumer and set the field on the route plugin

Config Sync Example

version: "1"
gateway_groups:
- name: default
consumers:
- username: alice
routes:
- id: basic-protected
uri: /api/*
plugins:
basic-auth: {}
upstream:
type: roundrobin
nodes:
- host: backend
port: 8080
weight: 1

Note: Consumer credentials (username/password) must be created separately via the Admin API; a7 config sync manages the consumer resource but credentials are sub-resources.


This page is generated from a7-plugin-basic-auth/SKILL.md in the api7/a7 repository. Browse all skills on the AI Agent Skills page.

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation