Basic Authentication User Attribution

The basic authentication method uses the authorization header to transmit user credentials, such as the user ID and password. These credentials are encoded using Base64. This encoded string is used in the authorization header of an API request, allowing Traceable to identify the user using the credentials. When you select this method, Traceable uses the authorization header in this API request by default and attributes the user ID.

What will you learn in this topic?

By the end of this topic, you will be able to understand :

How Basic Authentication user attribution works and why it is important for identifying API consumers.
How to configure user attribution by defining scope, conditions, and value transformations.
How to validate and preview extracted user identities before applying the configuration in your environment.

Understand basic authentication user attribution

Basic authentication user attribution helps you identify who is accessing your APIs by decoding credentials in the Authorization header. It connects each request to a specific user, improving visibility, accountability, and threat analysis. The table below explains why you use it, when it applies, and how you can leverage it.

Why use it?	When to use?	How can you leverage it?
You gain clear visibility into who is making API calls and ensure consistent user identification by decoding Base64-encoded credentials from the Authorization header. This helps you move from anonymous traffic to user-level insights, improving observability and accountability across your APIs.	You use this when your application relies on Basic Authentication (username/password), especially in legacy or internal systems where token-based methods like JWT are not implemented, and credentials are consistently passed in request headers.	You attribute each API request to a specific user to strengthen monitoring, auditing, and compliance. You correlate user activity with anomalies and security events, detect misuse faster, and apply conditions and transformations (such as Base64 decoding and regex extraction) to accurately extract, validate, preview, and enforce user attribution rules.

Why use it?

When to use?

How can you leverage it?

You gain clear visibility into who is making API calls and ensure consistent user identification by decoding Base64-encoded credentials from the Authorization header. This helps you move from anonymous traffic to user-level insights, improving observability and accountability across your APIs.

You use this when your application relies on Basic Authentication (username/password), especially in legacy or internal systems where token-based methods like JWT are not implemented, and credentials are consistently passed in request headers.

You attribute each API request to a specific user to strengthen monitoring, auditing, and compliance. You correlate user activity with anomalies and security events, detect misuse faster, and apply conditions and transformations (such as Base64 decoding and regex extraction) to accurately extract, validate, preview, and enforce user attribution rules.

Steps to configure

To configure basic authentication, complete the following steps:

Step 1 — Define the authentication scope

Specify the Name.
(Optional) Specify a Description for the configuration.
Select the Environment in which you wish to apply the configuration.
Select the Services on which Traceable should apply the configuration. You can select all or specific services from the drop-down list based on your requirements.
(Optional) Specify the URL Regex if you wish to provide a granular scope for user attribution.
Click Next.

Note
Traceable shows a preview upon rule configuration in the next step.

Step 2 — Define the authentication attributes

(Optional) Select the checkbox if you wish to Obfuscate the user ID value post-attribution within the platform.
(Optional) Click + Add Condition, then select and specify the location, key, operator, and value to use when Traceable checks spans for a match. If a span satisfies the condition, Traceable further evaluates the remaining configurations.
Select the Location and specify the key that Traceable can use to find the user ID. While Traceable specifies this configuration by default using commonly used values, you can modify it to suit your requirements.
(Optional) Click + Add Value Transformation to add either of the following custom transformations:
- Regex Capture Group — This transformation enables you to extract specific parts of a string or value that match the pattern you define.
- Base64 Decoder — This transformation enables you to convert encoded Base64 data back to its decoded or original format.
While Traceable pre-adds some default transformations, you can add custom transformations. Traceable evaluates these transformations in order, from top to bottom.
Note
While you can modify the values, if any, in the pre-added transformations, you cannot reorder them. You can only reorder custom transformations according to your requirements.
Click Reload in the Preview Attributes section on the right. After the reload, click Generate Preview to view the User ID that Traceable extracted. You can also click View Details to see the values returned corresponding to each attribute you configured above.
Click Submit.

User Attribution Basic Scheme Attribute Definition

Demo

The following interactive demo shows how to configure basic authentication for extracting the user ID. For example, if you consider the header as Authorization: Basic am9obi5kb2VAZ21haWwuY29tOmpvaG4uZG9lLnNlY3JldA==, then upon evaluation, Traceable returns john.doe@gmail.com as the User ID.

Note
The above header is for reference purposes only.