# Configure basic authentication Type of document: How-to guide Product: NGINX Gateway Fabric --- This page describes how to configure basic authentication in NGINX Gateway Fabric using the AuthenticationFilter custom resource definition (CRD). Authentication can be used to secure applications and APIs, ensuring only trusted and authorized users have access. By following these instructions, you will create two sample application endpoints. One will include basic authentication and the other will not, allowing you to review how each behaves. ## Before you begin - [Install](/ngf/install/) NGINX Gateway Fabric. ## Setup In this part of the document, we will set up several resources in your cluster to demonstrate usage of the AuthenticationFilter CRD. ## Deploy sample applications To deploy the `coffee` and `tea` applications, run the following YAML with `kubectl apply`: ```yaml kubectl apply -f - < ``` ## Create a user credentials secret and AuthenticationFilter Deploy a secret with user credentials, and the AuthenticationFilter by running the following YAML with `kubectl apply`: **Note:** Ensure the secret deployed is of type `nginx.org/htpasswd` and the key is `auth` ```yaml kubectl apply -f - < ``` ## Deploy a HTTPRoute referencing the AuthenticationFilter Deploy a HTTPRoute resource which references the AuthenticationFilter using the `ExtensionRef` filter type. In this example, the filter is applied to the `/coffee` path: run the following YAML with `kubectl apply` ```yaml kubectl apply -f - < ``` ## Verify Basic Authentication **Note:** Your clients should be able to resolve the domain name "cafe.example.com" to the public IP of the NGINX Service. This guide simulates it using curl's `--resolve` option. Accessing `/coffee` with valid credentials: ```shell curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee -u user1:password1 ``` Response: ```text Server address: 10.244.0.7:8080 Server name: coffee-654ddf664b-nhhvr Date: 06/Jan/2026:15:20:15 +0000 URI: /coffee Request ID: 13a925b2514b62c45ea4a79800248d5c ``` Accessing `/coffee` without credentials: ```shell curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee ``` Response: ```text 401 Authorization Required

401 Authorization Required


nginx
``` Accessing `/coffee` with incorrect credentials: ```shell curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee -u user1:wrong ``` Response: ```text 401 Authorization Required

401 Authorization Required


nginx
``` Accessing `/tea` Since tea has no AuthenticationFilter attached, responses are processed normally: ```shell curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/tea ``` Response: ```text Server address: 10.244.0.10:8080 Server name: tea-75bc9f4b6d-ms2n8 Date: 06/Jan/2026:15:36:26 +0000 URI: /tea Request ID: c7eb0509303de1c160cb7e7d2ac1d99f ``` ## Troubleshooting - Ensure the HTTPRoute is Accepted and references the correct AuthenticationFilter name and group. - Confirm the secret key is named `auth` and is of type `nginx.org/htpasswd`. - Ensure the secret referenced by the AuthenticationFilter is in the same namespace. ## Further reading - [Example deployment files for AuthenticationFilter](https://github.com/nginx/nginx-gateway-fabric/tree/main/examples/basic-authentication) - [NGINX HTTP Basic Auth Module](https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html)