Configuration

Basic auth

Protect any HTTP endpoint with one or more username/password pairs.

Basic auth challenges happen at the LocalCan proxy or tunnel layer — your local app never sees a request unless the credentials match.

Short syntax

YAML

endpoints:
  - provider: localcan
    basic_auth:
      - "preview:demo123"
      - "qa:nightly456"

Each string is username:password. The first colon separates them, so passwords may contain colons.

Long syntax

Use the long form when you want to disable a credential without removing it:

YAML

endpoints:
  - provider: localcan
    basic_auth:
      - username: preview
        password: demo123
      - username: qa
        password: nightly456
        enabled: false

Key	Type	Default	Notes
`username`	string	—	Required.
`password`	string	—	Required.
`enabled`	bool	`true`	Disable a credential without deleting it.

How matching works

A request is allowed if any enabled credential matches the Authorization: Basic … header the client sent. Any number of credentials can coexist on the same endpoint, which is handy for sharing a tunnel with multiple stakeholders without juggling a single shared password.

If no basic_auth block is present, the endpoint is open. If the block is present but every entry is disabled, every request is rejected with 401 Unauthorized.

⚠️Warning — Don't reuse a real production password here. Tunnel URLs aren't secret and the credential lives in plaintext in your project file.

💡Tip — Pair this with a Host header rewrite when previewing a SaaS app for a client. They get a stable URL behind a password and your local app sees its production hostname.