# Protect your Function with Basic Auth

> \[!WARNING]
>
> This example uses headers and cookies, which are only accessible when your Function is running `@twilio/runtime-handler` version `1.2.0` or later. Consult the [Runtime Handler guide](/docs/serverless/functions-assets/handler) to learn more about the latest version and how to update.

When protecting your public Functions, and any sensitive data that they can expose, from unwanted requests and bad actors, it is important to consider some form of [authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) to validate that only intended users are making requests. In this example, we'll be covering one of the most common forms of authentication: [Basic Authentication](/docs/glossary/what-is-basic-authentication).

If you want to learn an alternative approach, you can also see this example of [using JWT for authentication](/docs/serverless/functions-assets/quickstart/json-web-token).

Let's create a Function that will only accept requests with valid Basic Authentication, and reject all other traffic.

## Create and host a Function

Before you run any of the examples on this page, create a Function and paste the example code into it. You can create a Function in the Twilio Console or by using the [Serverless Toolkit](/docs/labs/serverless-toolkit).

## Console

If you prefer a UI-driven approach, complete these steps in the Twilio Console:

1. Log in to the [Twilio Console](https://1console.twilio.com) and navigate to **Develop > Functions & Assets**. If you're using the *legacy* Console, open the [**Functions** tab](https://www.twilio.com/console/functions/overview).
2. Functions are contained within **Services**. Click **[Create Service](https://www.twilio.com/console/functions/overview/services)** to create a new **[Service](/docs/serverless/functions-assets/functions/create-service)**.
3. Click **Add +** and select **Add Function** from the dropdown.
4. The Console creates a new [protected](/docs/serverless/functions-assets/visibility) Function that you can rename. The filename becomes the URL path of the Function.
5. Copy one of the example code snippets from this page and paste the code into your newly created Function. You can switch examples by using the dropdown menu in the code rail.
6. Click **Save**.
7. Click **Deploy All** to build and deploy the Function. After deployment, you can access your Function at `https://<service-name>-<random-characters>-<optional-domain-suffix>.twil.io/<function-path>`\
   For example: `test-function-3548.twil.io/hello-world`.

## Serverless Toolkit

The [Serverless Toolkit](/docs/labs/serverless-toolkit) lets you develop locally, deploy projects, and perform other tasks through the [Twilio CLI](/docs/twilio-cli/quickstart).

1. From the CLI, run `twilio serverless:init <YOUR-SERVICE-NAME> --empty` to bootstrap your local environment.
2. Go to your new project directory using `cd <YOUR-SERVICE-NAME>`.
3. In the `/functions` directory, create a JavaScript file whose name reflects the purpose of the Function. For example, `sms-reply.protected.js` for a [protected](/docs/serverless/functions-assets/visibility) Function intended to handle incoming SMS.
4. Add the code example of your choice to the file and save it. Note that a Function can only export a single handler. You need to create separate files to run or deploy multiple examples at once.

After you save the Function code, you can test it locally (and optionally tunnel requests to it using a tool like [ngrok](https://ngrok.com/)), or deploy it.

### Run your Function in local development

Run `twilio serverless:start` from your CLI to start the project locally. The Function(s) in your project are accessible from `http://localhost:3000/sms-reply`

* If you want to test a Function as a [Twilio webhook](/docs/usage/webhooks/getting-started-twilio-webhooks), run: `twilio phone-numbers:update <your Twilio phone number> --sms-url "http://localhost:3000/sms-reply"`\
  This automatically generates an ngrok tunnel from Twilio to your locally running Function, so you can start sending texts to it. You can apply the same process but with the `voice-url` flag instead to test with [Twilio Voice](/docs/voice).
* If your code does *not* connect to Twilio Voice or Messages as a webhook, start your dev server and start an ngrok tunnel in the same command with the `ngrok` flag. For example: `twilio serverless:start --ngrok=""`

### Deploy your Function

To deploy your Function and have access to live url(s), run `twilio serverless:deploy` from your CLI. This deploys your Function(s) to Twilio under a development Environment by default, where they can be accessed from:

`https://<service-name>-<random-characters>-dev.twil.io/<function-path>`

For example: `https://incoming-sms-examples-3421-dev.twil.io/sms-reply`

You can now invoke your Function with HTTP requests, configure it as the [webhook](/docs/usage/webhooks/getting-started-twilio-webhooks) for a Twilio phone number, call it from a Twilio Studio [**Run Function** Widget](/docs/studio/widget-library/run-function), and more.

```js title="Authenticate Function requests using Basic Authorization"
exports.handler = (context, event, callback) => {
  // For the purpose of this example, we'll assume that the username and
  // password are hardcoded values. Feel free to set these as other values,
  // or better yet, use environment variables instead!
  const USERNAME = 'twilio';
  const PASSWORD = 'ahoy!';

  // Prepare a new Twilio response for the incoming request
  const response = new Twilio.Response();
  // Grab the standard HTTP Authorization header
  const authHeader = event.request.headers.authorization;

  // Reject requests that don't have an Authorization header
  if (!authHeader) return callback(null, setUnauthorized(response));

  // The auth type and credentials are separated by a space, split them
  const [authType, credentials] = authHeader.split(' ');
  // If the auth type doesn't match Basic, reject the request
  if (authType.toLowerCase() !== 'basic')
    return callback(null, setUnauthorized(response));

  // The credentials are a base64 encoded string of 'username:password',
  // decode and split them back into the username and password
  const [username, password] = Buffer.from(credentials, 'base64')
    .toString()
    .split(':');
  // If the username or password don't match the expected values, reject
  if (username !== USERNAME || password !== PASSWORD)
    return callback(null, setUnauthorized(response));

  // If we've made it this far, the request is authorized!
  // At this point, you could do whatever you want with the request.
  // For this example, we'll just return a 200 OK response.
  return callback(null, 'OK');
};

// Helper method to format the response as a 401 Unauthorized response
// with the appropriate headers and values
const setUnauthorized = (response) => {
  response
    .setBody('Unauthorized')
    .setStatusCode(401)
    .appendHeader(
      'WWW-Authenticate',
      'Basic realm="Authentication Required"'
    );

  return response;
};
```

## Configure your Function to require Basic Authentication

First, create a new `auth` [Service](/docs/serverless/functions-assets/functions/create-service) and add a **Public** `/basic` Function using the directions above.

Delete the default contents of the Function, and paste in the code snippet provided above.

Save the Function once it contains the new code.

> \[!NOTE]
>
> Remember to change the [visibility](/docs/serverless/functions-assets/visibility) of your new Function to be **Public**. By default, the Console UI will create new Functions as **Protected**, which will prevent access to your Function except by Twilio requests.

Next, deploy the Function by clicking on **Deploy All** in the Console UI.

## Verify that Basic Authentication is working

We can check that authentication is working first by sending an unauthenticated request to our deployed Function. You can get the URL of your Function by clicking the **Copy URL** button next to the Function.

Then, using your client of choice, make a `GET` or `POST` request to your Function. It should return a `401 Unauthorized` since the request contains no valid Authorization header.

```bash
curl -i -L -X POST 'https://auth-4173-dev.twil.io/basic'
```

Result:

```bash
$ curl -i -L -X POST 'https://auth-4173-dev.twil.io/basic'

HTTP/2 401
date: Tue, 03 Aug 2021 21:55:02 GMT
content-type: application/octet-stream
content-length: 12
www-authenticate: Basic realm="Authentication Required"
x-shenanigans: none

Unauthorized
```

Great! Requests are successfully being blocked from non-authenticated requests.

To make an authenticated request and get back a `200 OK`, we'll need to generate and send a request with the example username and password encoded as the Authorization header credentials. Leverage one of the following methods to encode your Credentials:

## Browser Dev Tools

First, [open your browser's developer tools](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools#how_to_open_the_devtools_in_your_browser). Navigate to the **Console** tab, where you'll be able to execute the following JavaScript in the browser to generate your encoded credentials:

```javascript
btoa("<username>:<password>");
```

The [btoa method](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/btoa) is a built-in browser method for conveniently converting a string to base64 encoding.

For example, with our example credentials, you would input the following into the browser console and get this result:

```javascript
btoa("twilio:ahoy!")
> "dHdpbGlvOmFob3kh"
```

## Node.js REPL

First, open your terminal and enter the Node.js REPL by running `node`. You can then execute the following JavaScript in the REPL to generate your encoded credentials:

```javascript
Buffer.from("<username>:<password>").toString('base64');
```

For example, going with our example credentials from earlier, you would have the following output from the REPL:

```bash
$ node
Welcome to Node.js v15.10.0.
Type ".help" for more information.
> Buffer.from("twilio:ahoy!").toString('base64')
'dHdpbGlvOmFob3kh'
```

Now that you have your encoded credentials, it's time to make an authenticated request to your Function by including them in the Authentication header.

Using cURL with our example credentials would look like this:

```bash
curl -i -L -X POST 'https://auth-4173-dev.twil.io/basic' \
-H 'Authorization: Basic dHdpbGlvOmFob3kh'

```

and the response would be:

```bash
$ curl -i -L -X POST 'https://auth-4173-dev.twil.io/basic' \
-H 'Authorization: Basic dHdpbGlvOmFob3kh'

HTTP/2 200
date: Tue, 03 Aug 2021 22:15:37 GMT
content-type: text/plain; charset=utf8
content-length: 2
x-shenanigans: none
x-content-type-options: nosniff
x-xss-protection: 1; mode=block

OK
```

At this point, Basic Authentication is now working for your Function!

To make this example your own, you could experiment with:

* Instead of defining the username and password directly in your Function's code, define other secure values and store them securely as [Environment Variables](/docs/serverless/functions-assets/functions/variables). You could then access them using `context.USERNAME` and `context.PASSWORD` respectively, for example.
* Take things a bit further and establish a database of authenticated users with hashed passwords. Once you've retrieved the decoded username and password from the Authorization header, perform a lookup of the user by username and validate their password using a library such as [bcrypt](https://www.npmjs.com/package/bcrypt). Your hashing secret can be a secure Environment Variable.