How do I create a new basic auth user?

I’m attempting to create a new basic auth user using the undocumented dashboard api (please add docs!)

However, even though the user has access to an API via a policy, I’m not able to access that API. Can you please let me know what I’m doing wrong. All calls below:

$ curl -X POST[email protected] -H 'Authorization: eafe2167d76547777ec75a1f7dc5312a' -d '{"last_check":0,"allowance":1000,"rate":1000,"per":1,"expires":0,"quota_max":-1,"quota_renews":1491497420,"quota_remaining":0,"quota_renewal_rate":31104000,"access_rights":{"151222f37e7447f56df39b0f94b8dc14":{"api_id":"151222f37e7447f56df39b0f94b8dc14","api_name":"Login API","versions":["Default"]},"feda9795301d4f4e5f6992ae3a638dcd":{"api_id":"feda9795301d4f4e5f6992ae3a638dcd","api_name":"Portal","versions":["Default"]}},"apply_policy_id":"57058d630b79010001000009","tags":["newuser"],"jwt_data":{"secret":""},"meta_data":{},"basic_auth_data":{"password":"test123","hash_type":"bcrypt"}}'
{"api_model":{},"key_id":"","data":{"last_check":0,"allowance":1000,"rate":1000,"per":1,"expires":0,"quota_max":-1,"quota_renews":1491497420,"quota_remaining":0,"quota_renewal_rate":31104000,"access_rights":{"151222f37e7447f56df39b0f94b8dc14":{"api_name":"Login API","api_id":"151222f37e7447f56df39b0f94b8dc14","versions":["Default"],"allowed_urls":null},"feda9795301d4f4e5f6992ae3a638dcd":{"api_name":"Portal","api_id":"feda9795301d4f4e5f6992ae3a638dcd","versions":["Default"],"allowed_urls":null}},"org_id":"570534390b79010001000001","oauth_client_id":"","basic_auth_data":{"password":"test123","hash_type":"bcrypt"},"jwt_data":{"secret":""},"hmac_enabled":false,"hmac_string":"","is_inactive":false,"apply_policy_id":"57058d630b79010001000009","data_expires":0,"monitor":{"trigger_limits":null},"meta_data":{},"tags":["newuser"]}}

$ echo '[email protected]:test123' | base64

$ curl -H 'Authorization: Basic dGVzdEB0ZXN0LmNvbTp0ZXN0MTIzCg=='
    "error": "User not authorised"

$ curl -s -X GET -H 'Authorization: eafe2167d76547777ec75a1f7dc5312a' | python -mjson.tool | grep -E 'api_id|"listen_path"'
                "api_id": "1f7701e7f1c640017b8fd0d66fbac8a7",
                    "listen_path": "/portal-assets/",
                "api_id": "04401112703f49af4d9bd4c2172e8eb9",
                    "listen_path": "/portal-api/",
                "api_id": "feda9795301d4f4e5f6992ae3a638dcd",
                    "listen_path": "/portal/",
                "api_id": "151222f37e7447f56df39b0f94b8dc14",
                    "listen_path": "/login-api/",

$ curl -s -X GET -H 'Authorization: eafe2167d76547777ec75a1f7dc5312a' | python -mjson.tool
    "Data": [
            "_id": "57058d630b79010001000009",
            "access_rights": {
                "151222f37e7447f56df39b0f94b8dc14": {
                    "allowed_urls": [],
                    "apiid": "151222f37e7447f56df39b0f94b8dc14",
                    "apiname": "Login API",
                    "versions": [
            "active": true,
            "date_created": "0001-01-01T00:00:00Z",
            "hmac_enabled": false,
            "is_inactive": false,
            "key_expires_in": 0,
            "name": "Default API Policy",
            "org_id": "570534390b79010001000001",
            "per": 60,
            "quota_max": -1,
            "quota_renewal_rate": 60,
            "rate": 1000,
            "tags": []
    "Pages": 0

Almost there :slight_smile:

  1. The dashboard API is documented here:

  1. Specifically key creation (basic auth tokens are a special case of key, and mysteriously undocumented - will add that to our todo list):

The object you are sending is wrong to create the key, you need to send a standard object, what you are sending is what the API returns on a key request:

	"last_check": 0,
	"allowance": 1000,
	"rate": 1000,
	"per": 1,
	"expires": 1460411319,
	"quota_max": -1,
	"quota_renews": 1460405379,
	"quota_remaining": 0,
	"quota_renewal_rate": 60,
	"access_rights": {
		"4f32eb942128475f4f76fe3e3bc34e16": {
			"api_id": "4f32eb942128475f4f76fe3e3bc34e16",
			"api_name": "Test",
			"versions": ["Default"]
	"apply_policy_id": "5654566b30c55e3904000003",
	"tags": [],
	"jwt_data": {
		"secret": ""
	"meta_data": {},
	"basic_auth_data": {
		"password": "test123"

Thanks for the update. I was able to create a key with the updated body. Since this is basic auth, what would I use for the username?

Whatever you like - with basic auth you are basically creating a custom token, so long as it is unique to your organisation it’s acceptable.

Sorry, I don’t think I was clear on my question. Is there another endpoint where I need to create the user and this is just their token? If so, how do I connect this key to a specific user?

If not, how to I specify the username within the POST to /api/keys?

I tried adding username to basic_auth_data like so:

and so:

neither let me access the api using:

curl -H 'Authorization: Basic dGVzdEB0ZXN0LmNvbTp0ZXN0MTIzCg=='

Ah, since it’s a custom token you just post to the username:


There is no concept of a “user”, a user, in the basic auth sense, is just a token with a password that runs through a specific auth type handler.

The only other concepts of users in the dashboard are administrators (the user that is using the dashboard) and developers - the ones that use the developer portal.

This is mentioned in the section on Basic Auth, but isn’t clear enough (nor in the right section):

A note on creating basic auth keys

Basic authentication keys are not created the same way as other keys, since the key ID is not generated by the system a basic auth key cannot use the /tyk/keys/create endpoint, and instead should POST to /tyk/keys/{username}, this will ADD a key to the system. Subsequent requests will overwrite this entry, sending a PUT request will update the entry.

Anyway, we’ll fill out those docs to make them more useful for people using basic auth.

Ah, thanks for that info.

We’re planning on using TIB as a proxy to our auth service in production but just figured basic would be quickest to get a demo up and running, haha, guess I should have chosen OAuth

Quickest would be a simple bearer token - OAuth can be tricky :wink:

We’re here to help, so just drop us a post if you’re lost. We’ve already add the basic auth docs to the site.

Thanks for all the help Martin!