Bypass htaccess Password Protection for API calls

Question

We have our development website password protected with htaccess and htpasswd. We have REST API on our dev website and we are able to bypass the password protection when we are not using any authorization header by passing the username and password as Basic Auth Type. Please check the below screenshot

Postman Authorization Type

However, we are having few other APIs as well where we need to pass the bearer(token) as authorization header. In this case we are not able to pass multiple authorization header for both htaccess password and token.

Is there a way we can pass both the htaccess authorization header as well as the API authorization header? Or can we bypass password protection only for API calls and not for the website?

For additional information, we are using Apache/2.4.28.

Thanks

Answer 1

Super old question, but I just ran into this issue and figured out you can combine the Basic Auth and the Bearer Token into 1 Authorization call.

This is how I did it with Postman:

1. Create the Basic Auth to get past your htaccess pw:

2. Go to the Headers section and copy the Hashed Basic Auth Value:

3. Still in Headers add a new Authorization Key. For the Value add your copied Basic Auth Hash and then your Bearer token. Should look like this:

Basic dGVhbToxxxXXXxxxXx== Bearer 2|XDIrp...wqhKCzvOpK

4. Now go back to the Authorization Tab (Step 1) and Change the Basic Auth back to Inherit Auth from parent

5. The final Header should look like this:

Now you can get through the htaccess and authenticate your Api route with the bearer token.