How to use Basic Authentication in the whole site except one folder?

This is sort of of a follow up of my question Build fails with 404 Not Found at Netlify function path with Apollo Client. I am implementing an Apollo graphql server using a Netlify lambda function, and while the site is in development, it is protected with Basic Authentication.

I am having a problem with the preflight OPTIONS requests done by fetch in the Apollo Client in client side. When the browser makes the OPTIONS request, it doesn’t send the Authorization header+value from my code, so the whole request is aborted.

This is browser only behavior. I can run queries against the server with curl, Postman, the Graphql Playground if they include the Authorization header, and also with the server side implementation of the Apollo Client where the headers are injected explicitly.

As stated in this answer in StackOverflow,

the server must be configured to respond to any OPTIONS requests (from allowed origins at least) with a 2xx success response, without requiring authentication.

My first try was to modify my function to return a status code of 200 for an OPTIONS request, but this obviously didn’t work since the request is intercepted way before it reaches the lambda.

Second, I modified my existing netlify.toml:

    for = "/*"
        Basic-Auth = "user:password"


    for = ".netlify/*"
            Basic-Auth = ''

but this failed at build time with error Invalid Netlify configuration file: Error while decoding file /opt/build/repo/netlify.toml: Near line 7 (last key parsed 'headers'): Key 'headers.values' has already been defined.

Is there some way that I can ‘expose’ the .netlify directory without Basic Auth, while keeping the rest under password?

Thank you,


Hi there,

A few problems here and hopefully a solution.

There is no “set a folder not to use basic auth”. You have to specify instead ALL OTHER PATHS that DO use basic auth.

All paths in redirects must start with a / character as well, which is probably the cause of the syntax error. Finally, you can’t change settings on /.netlify paths - redirect settings for the “from” paths there are only for internal use by us. You can redirect TO them though!

I guessed as much, thank you for confirming. This solution is really not working for us since we would have to add hundreds of paths to basic auth, and only while we are in development. So I moved the graphql server to another independent repo with a different protection, and kept the config for the web as it is.

Thank you!

1 Like