--- title: "Basic Authentication User Attribution" slug: "basic-authentication-user-attribution" description: "Configure Basic Authentication user attribution to extract user IDs from headers and improve API visibility and monitoring." updated: 2026-03-23T07:56:33Z published: 2026-03-23T07:56:33Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # Basic Authentication User Attribution The basic authentication method uses the authorization header to transmit user credentials, such as the user ID and password. These credentials are encoded using *Base64*. This encoded string is used in the authorization header of an API request, allowing Traceable to identify the user using the credentials. When you select this method, Traceable uses the authorization header in this API request by default and attributes the user ID. ## What will you learn in this topic? By the end of this topic, you will be able to understand : - How Basic Authentication user attribution works and why it is important for identifying API consumers. - How to configure user attribution by defining scope, conditions, and value transformations. - How to validate and preview extracted user identities before applying the configuration in your environment. --- ## Understand basic authentication user attribution Basic authentication user attribution helps you identify who is accessing your APIs by decoding credentials in the Authorization header. It connects each request to a specific user, improving visibility, accountability, and threat analysis. The table below explains why you use it, when it applies, and how you can leverage it. | Why use it? | When to use? | How can you leverage it? | | --- | --- | --- | | You gain clear visibility into who is making API calls and ensure consistent user identification by decoding Base64-encoded credentials from the Authorization header. This helps you move from anonymous traffic to user-level insights, improving observability and accountability across your APIs. | You use this when your application relies on Basic Authentication (username/password), especially in legacy or internal systems where token-based methods like JWT are not implemented, and credentials are consistently passed in request headers. | You attribute each API request to a specific user to strengthen monitoring, auditing, and compliance. You correlate user activity with anomalies and security events, detect misuse faster, and apply conditions and transformations (such as Base64 decoding and regex extraction) to accurately extract, validate, preview, and enforce user attribution rules. | --- ## Steps to configure To configure basic authentication, complete the following steps: ### Step 1 — Define the authentication scope 1. Specify the **Name**. 2. (Optional) Specify a **Description** for the configuration. 3. Select the **Environment** in which you wish to apply the configuration. 4. Select the **Services** on which Traceable should apply the configuration. You can select all or specific services from the drop-down list based on your requirements. 5. (Optional) Specify the **URL Regex** if you wish to provide a granular scope for user attribution. 6. Click **Next**. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_user_attribution_basic_auth_Define_Scope_window(1).png) Configure User Attribution Basic Scheme > [!NOTE] > Note > > Traceable shows a preview upon rule configuration in the next step. ### Step 2 — Define the authentication attributes 1. (Optional) Select the checkbox if you wish to Obfuscate the user ID value post-attribution within the platform. 2. (Optional) Click +**Add Condition**, then select and specify the location, key, operator, and value to use when Traceable checks spans for a match. If a span satisfies the condition, Traceable further evaluates the remaining configurations. 3. Select the **Location** and specify the key that Traceable can use to find the user ID. While Traceable specifies this configuration by default using commonly used values, you can modify it to suit your requirements. 4. (Optional) Click **+ Add Value Transformation** to add either of the following custom transformations: While Traceable pre-adds some default transformations, you can add custom transformations. Traceable evaluates these transformations in order, from top to bottom. > [!NOTE] > Note > > While you can modify the values, if any, in the pre-added transformations, you cannot reorder them. You can only reorder custom transformations according to your requirements. - **Regex Capture Group** — This transformation enables you to extract specific parts of a string or value that match the pattern you define. - **Base64 Decoder** — This transformation enables you to convert encoded Base64 data back to its decoded or original format. 5. Click **Reload** in the **Preview Attributes** section on the right. After the reload, click **Generate Preview** to view the **User ID** that Traceable extracted. You can also click **View Details** to see the values returned corresponding to each attribute you configured above. 6. Click **Submit**. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_user_attribution_basic_scheme_window_define_scope(1)(1).png) User Attribution Basic Scheme Attribute Definition --- ## Demo The following interactive demo shows how to configure basic authentication for extracting the user ID. For example, if you consider the header as `Authorization: Basic am9obi5kb2VAZ21haWwuY29tOmpvaG4uZG9lLnNlY3JldA==`, then upon evaluation, Traceable returns `john.doe@gmail.com` as the **User ID**. > [!NOTE] > Note > > The above header is for reference purposes only. [Embedded content](https://demo.arcade.software/gvTBKfOM4qwFJXLSzdgg) Obfuscate means alteration of sensitive data in a way that it conceals its original value while retaining a format that is valid or similar to the original. This enables data usage for analysis and testing without exposing the original value.