Flow action auth

The auth action implements HTTP basic authentication between the client and FIT.


An auth Action contains a list of user elements which have the following attributes:

  • pass="..." to define a password (required, must not be empty)
  • name="..." to define a username (optional, defaults to the empty string)


If the client has not sent authentication credentials, a 401 Authentication required status is returned. In a subsequent request with credentials matching a configured user, the action does not halt the flow.

The auth action is useful to protect sites under development.

HTTP basic auth does not provide strong protection, as no encryption is used. You should only use it on HTTPS connections. (See also force-client-https security setting).


  <user pass="top secret" />

  <user name="fred" pass="wilma" />
  <!-- repeated user is ignored -->
  <user name="fred" pass="betty" />

Note that only the first match is evaluated if user names are repeated.


System administrators may configure auth credentials for debug logging in fit.ini. This, too, makes use of HTTP basic auth and therefore interferes with this action. Thus, debugging a site with an auth action will always lead to 401 responses, because the client cannot send credentials for both debug and site.

You can workaround this by adding a condition to the auth action:

  <auth if="not(request/debug)">
    <user name="fred" pass="wilma" />

  <default-request />
  <parse />


The following cases are considered fatal and will terminate the request:

  • the action has no user element
  • a user has no pass attribute