BasicAuthentication policy

This pageapplies toApigee andApigee hybrid.

View Apigee Edge documentation.

The BasicAuthentication policy enables you to use lightweightBasic Authentication for last-mile security. The policy takes a username and password, Base64 encodes them, and writes the resulting value to a variable. The resulting value is in the formBasicBase64EncodedString. You typically write this value to an HTTP header, such as theAuthorization header.

The policy has two modes of operations:

  • Encode: Base64 encodes a username and password stored in variables
  • Decode: Decodes the username and password from a Base64 encoded string

The username and password are commonly stored in the key/value store and then read from the key/value store at runtime. For details on using key/value store, see Key Value Map Operations policy.

This policy does not enforce Basic Authentication on a request to an API proxy. Instead, use it to encode/decode credentials as Base64, typically when connecting to a backend server or using a service callout policy, such as the Service Callout policy, that requires Basic Authentication.

Warning: Basic authentication does not provide confidentiality. Always send credentials over a TLS-enabled (HTTPS) connection to your backend service.

This policy is anExtensible policy and use of this policy might have cost or utilization implications, depending on your Apigee license. For information on policy types and usage implications, seePolicy types.

Samples

Outbound encoding

<BasicAuthentication name="ApplyBasicAuthHeader">   <DisplayName>ApplyBasicAuthHeader</DisplayName>   <Operation>Encode</Operation>   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>   <User ref="BasicAuth.credentials.username" />   <Password ref="BasicAuth.credentials.password" />   <AssignTo createNew="false">request.header.Authorization</AssignTo></BasicAuthentication>

In the sample policy configuration above, the username and password to be encoded are derived from the variables specified by theref attributes on the<User> and<Password> elements. The variables must be set before this policy executes. Typically, the variables are populated by values that are read from a key/value map. SeeKey Value Map Operations policy.

This configuration results in the HTTP header namedAuthorization, as specified by the<AssignTo> element, being added to the outbound request message sent to the backend server:

Authorization: Basic TXlVc2VybmFtZTpNeVBhc3N3b3Jk

The<User> and<Password> values are concatenated with a colon prior to Base64 encoding.

Consider that you have a key/value map with the following entry:

{  "encrypted" : true,  "entry" : [ {    "name" : "username",    "value" : "MyUsername  }, {    "name" : "password",    "value" : "MyPassword  } ],  "name" : "BasicAuthCredentials"}

Attach the following KeyValueMapOperations policies before the BasicAuthentication policy to be able to extract the values for your<User> and<Password> elements from the key/value store and populate them to the variablescredentials.username andcredentials.password.

<KeyValueMapOperationsname="getCredentials"mapIdentifier="BasicAuthCredentials"><Scope>apiproxy</Scope><GetassignTo="credentials.username"index='1'><Key><Parameter>username</Parameter></Key></Get><GetassignTo="credentials.password"index='1'><Key><Parameter>password</Parameter></Key></Get></KeyValueMapOperations>

Inbound decoding

<BasicAuthentication name="DecodeBaseAuthHeaders">   <DisplayName>Decode Basic Authentication Header</DisplayName>   <Operation>Decode</Operation>   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>   <User ref="request.header.username" />   <Password ref="request.header.password" />   <Source>request.header.Authorization</Source></BasicAuthentication>

In this policy sample, the policy decodes the username and password from theAuthorization HTTP header, as specified by the<Source> element. The Base64 encoded string must be in the formBasicBase64EncodedString.

The policy writes the decoded username to therequest.header.username variable and the decoded password to therequest.header.password variable.

Element reference

The element reference describes the elements and attributes of the BasicAuthentication policy.

<BasicAuthentication async="false" continueOnError="false" enabled="true" name="Basic-Authentication-1">   <DisplayName>Basic Authentication 1</DisplayName>   <Operation>Encode</Operation>   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>   <User ref="request.queryparam.username" />   <Password ref="request.queryparam.password" />   <AssignTo createNew="false">request.header.Authorization</AssignTo>   <Source>request.header.Authorization</Source></BasicAuthentication>

<BasicAuthentication> attributes

<BasicAuthentication async="false" continueOnError="false" enabled="true" name="Basic-Authentication-1">

The following table describes attributes that are common to all policy parent elements:

AttributeDescriptionDefaultPresence
name

The internal name of the policy. The value of thename attribute can contain letters, numbers, spaces, hyphens, underscores, and periods. This value cannot exceed 255 characters.

Optionally, use the<DisplayName> element to label the policy in the management UI proxy editor with a different, natural-language name.

N/ARequired
continueOnError

Set tofalse to return an error when a policy fails. This is expected behavior for most policies.

Set totrue to have flow execution continue even after a policy fails. See also:

falseOptional
enabled

Set totrue to enforce the policy.

Set tofalse toturn off the policy. The policy will not be enforced even if it remains attached to a flow.

trueOptional
async

This attribute is deprecated.

falseDeprecated

<DisplayName> element

Use in addition to thename attribute to label the policy in the management UI proxy editor with a different, natural-language name.

<DisplayName>Policy Display Name</DisplayName>
Default

N/A

If you omit this element, the value of the policy'sname attribute is used.

PresenceOptional
TypeString

<Operation> element

Determines whether the policy Base64 encodes or decodes credentials.

<Operation>Encode</Operation>
Default:N/A
Presence:Required
Type:

String.

Valid values include:

  • Encode
  • Decode

<IgnoreUnresolvedVariables> element

When set totrue, the policy will not throw an error if a variable cannot be resolved. When used in the context of a BasicAuthentication policy, this setting is usually set tofalse because it is generally beneficial to throw an error if a username or password cannot be found in the variables specified.

<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
Default:true
Presence:Optional
Type:

Boolean

<User> element

  • For encoding, use the<User> element to specify the variable containing the username. Username and password values are concatenated with a colon prior to Base64 encoding.
  • For decoding, specify the variable where the decoded username is written.
<User ref="request.queryparam.username" />
Default:N/A
Presence:Required
Type:

N/A

Attributes

AttributeDescriptionDefaultPresence
ref

The variable from which the policy dynamically reads the username (encode) or writes the username (decode).

N/ARequired

<Password> element

  • For encoding, use the<Password> element to specify the variable containing the password.
  • For decoding, specify the variable where the decoded password is written.
<Password ref="request.queryparam.password" />
Default:N/A
Presence:Required
Type:

N/A

Attributes

AttributeDescriptionDefaultPresence
ref

The variable from which the policy dynamically reads the password (encode) or writes the password (decode).

N/ARequired

<AssignTo> element

Specifies the target variable to set with the encoded or decoded value generated by this policy.

The following example indicates that the policy should set theAuthorization header of the message to the generated value:

<AssignTo createNew="false">request.header.Authorization</AssignTo>
Default:N/A
Presence:Required
Type:

String

Attributes

AttributeDescriptionDefaultPresence
createNewDetermines whether the policy should overwrite the variable if the variable is already set.

When "false", the assignment to the variable occursonly if the variable is currently unset (null).

When "true", the assignment to the variable always occurs.

You typically set this attribute to "false" (the default).

falseOptional

<Source> element

For decoding, the variable containing the Base64 encoded string, in the formBasicBase64EncodedString. For example, specifyrequest.header.Authorization, corresponding to theAuthorization header.

<Source>request.header.Authorization</Source>
Default:N/A
Presence:Required for the Decode operation.
Type:

N/A

Flow variables

The following flow variable is set when the policy fails:

  • BasicAuthentication.{policy_name}.failed (with a value of true)
Note: If you see variables calledBasicAuthentication.{policy_name}.fault.cause andBasicAuthentication.{policy_name}.fault.name, they are not currently being used by Apigee.

Error reference

This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error. This information is important to know if you are developing fault rules to handle errors. To learn more, seeWhat you need to know about policy errors andHandling faults.

Runtime errors

These errors can occur when the policy executes.

Fault codeHTTP statusCauseFix
steps.basicauthentication.InvalidBasicAuthenticationSource500On a decode when the incomingBase64 encoded string does not contain a valid value or the header is malformed (for example, does not start withBasic).
steps.basicauthentication.UnresolvedVariable500The required source variables for the decode or encode are not present. This error can only occur ifIgnoreUnresolvedVariables is false.

Deployment errors

These errors can occur when you deploy a proxy containing this policy.

Error nameOccurs whenFix
UserNameRequiredThe<User> element must be present for the named operation.
PasswordRequiredThe<Password> element must be present for the named operation.
AssignToRequiredThe<AssignTo> element must be present for the named operation.
SourceRequiredThe<Source> element must be present for the named operation.

Fault variables

These variables are set when a runtime error occurs. For more information, seeWhat you need to know about policy errors.

VariablesWhereExample
fault.name="fault_name"fault_name is the name of the fault, as listed in theRuntime errors table above. The fault name is the last part of the fault code.fault.name Matches "UnresolvedVariable"
BasicAuthentication.policy_name.failedpolicy_name is the user-specified name of the policy that threw the fault.BasicAuthentication.BA-Authenticate.failed = true

Example error response

Note: For error handling, the best practice is to trap theerrorcode part of the error response. Do not rely on the text in thefaultstring, because it could change.
{"fault":{"detail":{"errorcode":"steps.basicauthentication.UnresolvedVariable"},"faultstring":"Unresolved variable : request.queryparam.password"}}

Example fault rule

<FaultRule name="Basic Authentication Faults">    <Step>        <Name>AM-UnresolvedVariable</Name>        <Condition>(fault.name Matches "UnresolvedVariable") </Condition>    </Step>    <Step>        <Name>AM-AuthFailedResponse</Name>        <Condition>(fault.name = "InvalidBasicAuthenticationSource")</Condition>    </Step>    <Condition>(BasicAuthentication.BA-Authentication.failed = true) </Condition></FaultRule>

Schemas

Sample: See ourGitHub repository samples for the most recent schemas.

Related topics

Key Value Map Operations policy

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.