diff --git a/cmd/config.go b/cmd/config.go
index df5b156..854404c 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -2,12 +2,14 @@ package main
 
 import "crypto/tls"
 import "crypto/x509"
+import "encoding/base64"
 import "errors"
 import "fmt"
 import "hodu"
 import "io"
 import "io/ioutil"
 import "os"
+import "strings"
 import "time"
 
 import "gopkg.in/yaml.v3"
@@ -45,8 +47,7 @@ type ClientTLSConfig struct {
 type BasicAuthConfig struct {
 	Enabled bool `yaml:"enabled"`
 	Realm string `yaml:"realm"`
-	Users []string `yaml:"users"`
-	UserFile string `yaml:"user-file"`
+	Creds []string `yaml:"credentials"`
 }
 
 type CTLServiceConfig struct {
@@ -342,3 +343,30 @@ func make_tls_client_config(cfg *ClientTLSConfig) (*tls.Config, error) {
 
 	return tlscfg, nil
 }
+
+// --------------------------------------------------------------------
+func make_server_basic_auth_config(cfg *BasicAuthConfig) (*hodu.ServerBasicAuth, error) {
+	var config hodu.ServerBasicAuth
+	var cred string
+	var b []byte
+	var x []string
+	var err error
+
+	config.Enabled = cfg.Enabled
+	config.Realm = cfg.Realm
+
+	for _, cred = range cfg.Creds {
+		b, err = base64.StdEncoding.DecodeString(cred)
+		if err == nil { cred = string(b) }
+
+		// each entry must be of the form username:password
+		x = strings.Split(cred, ":")
+		if len(x) != 2 {
+			return nil, fmt.Errorf("invalid basic auth credential - %s", cred)
+		}
+
+		config.Creds = append(config.Creds, hodu.ServerBasicAuthCred{ Username: x[0], Password: x[1] })
+	}
+
+	return &config, nil
+}
diff --git a/cmd/main.go b/cmd/main.go
index bbb3b81..96a8988 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -93,7 +93,7 @@ func server_main(ctl_addrs []string, rpc_addrs []string, pxy_addrs []string, wpx
 	var s *hodu.Server
 	var config *hodu.ServerConfig
 	var logger *AppLogger
-	var log_mask hodu.LogMask
+	var logmask hodu.LogMask
 	var logfile string
 	var logfile_maxsize int64
 	var logfile_rotate int
@@ -101,7 +101,7 @@ func server_main(ctl_addrs []string, rpc_addrs []string, pxy_addrs []string, wpx
 	var xterm_html string
 	var err error
 
-	log_mask = hodu.LOG_ALL
+	logmask = hodu.LOG_ALL
 
 	config = &hodu.ServerConfig{
 		CtlAddrs: ctl_addrs,
@@ -125,12 +125,15 @@ func server_main(ctl_addrs []string, rpc_addrs []string, pxy_addrs []string, wpx
 		if len(config.PxyAddrs) <= 0 { config.PxyAddrs = cfg.PXY.Service.Addrs }
 		if len(config.WpxAddrs) <= 0 { config.WpxAddrs = cfg.WPX.Service.Addrs }
 
+		config.CtlBasicAuth, err = make_server_basic_auth_config(&cfg.CTL.Service.BasicAuth)
+		if err != nil { return err }
+
 		config.CtlPrefix = cfg.CTL.Service.Prefix
 		config.RpcMaxConns = cfg.APP.MaxRpcConns
 		config.MaxPeers = cfg.APP.MaxPeers
 		xterm_html_file = cfg.APP.XtermHtmlFile
 
-		log_mask = log_strings_to_mask(cfg.APP.LogMask)
+		logmask = log_strings_to_mask(cfg.APP.LogMask)
 		logfile = cfg.APP.LogFile
 		logfile_maxsize = cfg.APP.LogMaxSize
 		logfile_rotate = cfg.APP.LogRotate
@@ -141,9 +144,9 @@ func server_main(ctl_addrs []string, rpc_addrs []string, pxy_addrs []string, wpx
 	}
 
 	if logfile == "" {
-		logger = NewAppLogger("server", os.Stderr, log_mask)
+		logger = NewAppLogger("server", os.Stderr, logmask)
 	} else {
-		logger, err = NewAppLoggerToFile("server", logfile, logfile_maxsize, logfile_rotate, log_mask)
+		logger, err = NewAppLoggerToFile("server", logfile, logfile_maxsize, logfile_rotate, logmask)
 		if err != nil {
 			return fmt.Errorf("failed to initialize logger - %s", err.Error())
 		}
@@ -158,13 +161,9 @@ func server_main(ctl_addrs []string, rpc_addrs []string, pxy_addrs []string, wpx
 		xterm_html = string(tmp)
 	}
 
-	s, err = hodu.NewServer(
-		context.Background(),
-		HODU_NAME,
-		logger,
-		config)
+	s, err = hodu.NewServer(context.Background(), HODU_NAME, logger, config)
 	if err != nil {
-		return fmt.Errorf("failed to create new server - %s", err.Error())
+		return fmt.Errorf("failed to create server - %s", err.Error())
 	}
 
 	if xterm_html != "" { s.SetXtermHtml(xterm_html) }
@@ -251,7 +250,7 @@ func client_main(ctl_addrs []string, rpc_addrs []string, route_configs []string,
 	var ctl_prefix string
 	var cc hodu.ClientConfig
 	var logger *AppLogger
-	var log_mask hodu.LogMask
+	var logmask hodu.LogMask
 	var logfile string
 	var logfile_maxsize int64
 	var logfile_rotate int
@@ -261,7 +260,7 @@ func client_main(ctl_addrs []string, rpc_addrs []string, route_configs []string,
 	var i int
 	var err error
 
-	log_mask = hodu.LOG_ALL
+	logmask = hodu.LOG_ALL
 	if cfg != nil {
 		ctltlscfg, err = make_tls_server_config(&cfg.CTL.TLS)
 		if err != nil {
@@ -278,7 +277,7 @@ func client_main(ctl_addrs []string, rpc_addrs []string, route_configs []string,
 
 		cc.ServerSeedTmout = cfg.RPC.Endpoint.SeedTmout
 		cc.ServerAuthority = cfg.RPC.Endpoint.Authority
-		log_mask = log_strings_to_mask(cfg.APP.LogMask)
+		logmask = log_strings_to_mask(cfg.APP.LogMask)
 		logfile = cfg.APP.LogFile
 		logfile_maxsize = cfg.APP.LogMaxSize
 		logfile_rotate = cfg.APP.LogRotate
@@ -299,9 +298,9 @@ func client_main(ctl_addrs []string, rpc_addrs []string, route_configs []string,
 	}
 
 	if logfile == "" {
-		logger = NewAppLogger("client", os.Stderr, log_mask)
+		logger = NewAppLogger("client", os.Stderr, logmask)
 	} else {
-		logger, err = NewAppLoggerToFile("client", logfile, logfile_maxsize, logfile_rotate, log_mask)
+		logger, err = NewAppLoggerToFile("client", logfile, logfile_maxsize, logfile_rotate, logmask)
 		if err != nil {
 			return fmt.Errorf("failed to initialize logger - %s", err.Error())
 		}
diff --git a/server-ctl.go b/server-ctl.go
index 10f44a4..6f9ff28 100644
--- a/server-ctl.go
+++ b/server-ctl.go
@@ -62,6 +62,17 @@ func (ctl *server_ctl) Id() string {
 	return ctl.id
 }
 
+func (ctl *server_ctl) Authenticate(req *http.Request) bool {
+	var s *Server
+
+	s = ctl.s
+	if s.cfg.CtlBasicAuth != nil && s.cfg.CtlBasicAuth.Enabled {
+		// perform basic authentication
+	}
+
+	return true
+}
+
 // ------------------------------------
 
 func (ctl *server_ctl_server_conns) ServeHTTP(w http.ResponseWriter, req *http.Request) (int, error) {
diff --git a/server-proxy.go b/server-proxy.go
index a82eef8..eb9c4ac 100644
--- a/server-proxy.go
+++ b/server-proxy.go
@@ -184,10 +184,16 @@ func mutate_proxy_req_headers(req *http.Request, newreq *http.Request, path_pref
 	return upgrade_required
 }
 
+// ------------------------------------
+
 func (pxy *server_proxy) Id() string {
 	return pxy.id
 }
 
+func (pxy *server_proxy) Authenticate(req *http.Request) bool {
+	return true
+}
+
 // ------------------------------------
 
 func prevent_follow_redirect (req *http.Request, via []*http.Request) error {
diff --git a/server.go b/server.go
index d9363eb..b2cfb4e 100644
--- a/server.go
+++ b/server.go
@@ -42,7 +42,7 @@ type ServerSvcPortMap = map[PortId]ConnRouteId
 type ServerWpxResponseTransformer func(r *ServerRouteProxyInfo, resp *http.Response) io.Reader
 type ServerWpxForeignPortProxyMaker func(wpx_type string, port_id string) (*ServerRouteProxyInfo, error)
 
-type ServerBasicAuthUser struct {
+type ServerBasicAuthCred struct {
 	Username string
 	Password string
 }
@@ -50,7 +50,7 @@ type ServerBasicAuthUser struct {
 type ServerBasicAuth struct {
 	Enabled bool
 	Realm string
-	User []ServerBasicAuthUser
+	Creds []ServerBasicAuthCred
 }
 
 type ServerConfig struct {
@@ -62,7 +62,7 @@ type ServerConfig struct {
 	CtlAddrs []string
 	CtlTls *tls.Config
 	CtlPrefix string
-	CtlBasicAuth ServerBasicAuth
+	CtlBasicAuth *ServerBasicAuth
 
 	PxyAddrs []string
 	PxyTls *tls.Config
@@ -953,6 +953,7 @@ func (hlw *server_http_log_writer) Write(p []byte) (n int, err error) {
 
 type ServerHttpHandler interface {
 	Id() string
+	Authenticate(req *http.Request) bool
 	ServeHTTP (w http.ResponseWriter, req *http.Request) (int, error)
 }