Basic Authentication Plugin

The Basic Authentication plugin adds username and password protection to your APIs. Give it a try and discuss it here!

Basic Authentication plugin documentation

Hi Guys, is it possible to update credentials (username or password) without needing to delete a consumer?

@QiQe_Garbi Hi,

Definitely. The Admin API follows RESTful practices; the following endpoint accepts GET as well as PATCH requests:

/consumers/{consumer id or username}/basic-auth/{credential username or id}


$ curl -X PATCH \
  --url http://kong:8001/consumers/bob/basic-auth/55283d7e-dc92-11e7-b1fe-0fb516a46133 \
  -d "username=alice" \
  -d "password=new_password"

Thanks @thibaultcha , I was trying the same but with a missing consumer at the end. Is that info in your docs? I couldn’t find it

Hi @QiQe_Garbi - indeed you noticed that our docs at don’t explicitly describe PATCHing - sorry about that!

We welcome Pull Requests to improve Kong’s documentation - see

Is there a way to configure a service to use basic auth on downstreams only? For example, you may want integrate an API that uses basic auth with kong but avoid using basic auth in the exposed service in kong. This way:

  1. API endpoint has basic auth already enabled
  2. Create a Kong service at that proxies request with basic auth
  3. Optionally, create consumers and secure the kong service with any kind of authentication (even none).

Hi @gentunian - I think you may be getting no replies on your post because it is hard to understand what problem you are trying to solve (I know I can’t understand it!). Can you try to clarify?

hey there @Cooper, thanks for the suggestion.

I was wondering if it was possible to use basic auth plugin only in the forwarding request to the APIs endpoints. I will try to clarify:


This way, kong service is using basic auth only on downstreams and using any auth up front.


To consume/use the API you will do something like:

curl -H 'Authorizaction: Basic Ajasfualshfna='

Now, you want to use your API through Kong and possibly with another auth or maybe just none. That would be:

# use kong with key-auth plugin and kong will check the
# consumer api key for that service and then proxy the request
# to the API with the adequate Authorization header.

curl -H 'My-Key: jehOahYd821Asna'

Something like:


It seems to me like you are describing the use case solved by this plugin:

I hope it answers addresses your use-case :slight_smile:

PS: This plugin is maintained by a community member, so if you have issues or questions with it, please open an issue in the repository, as there is nothing we can do to assist.

thanks @thibaultcha seems that also it could be done with request transformer plugin