Skip to main content

Support Doc

 Rupashree Som (Rupashree)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
IN
Rupashree Member since 2021 43 posts
MOD
Posted: 2 days 17 hours ago
Last activity: 2 days 17 hours ago
Posted: 9 Jan 2026 11:34 EST
Last activity: 9 Jan 2026 11:34 EST

Deprecation Notice for HTTP Basic Authentication in service packages for inbound API Calls

Summary

Effective with Pega Infinity release 25.1.2, we are deprecating the use of HTTP Basic Authentication for inbound API calls (service packages). This decision reflects our ongoing commitment to enhance security and protect user data. We strongly encourage you to transition to one of the secure alternatives outlined in the “Action Required” section of this advisory. 

Deprecated Features 

As a reminder, deprecated features are no longer subject to active development and receive limited support. While these features continue to function in the current release, avoid using them in new deployments. 

Pega maintains deprecated features for several software versions to provide time to adopt fully supported features to achieve your business needs. 

For more information, see Withdrawn and deprecated features.   

Reasons for Deprecation  

The National Institute of Standards and Technology (NIST) has identified several weaknesses related to the use of HTTP Basic Authentication. According to the NIST Digital Identity Guidelines (SP 800-63-3), the specific security weaknesses highlighted in these guidelines, along with general security practices, include: 

  • Credentials in Cleartext (Encoded, Not Encrypted): HTTP Basic Authentication uses Base64 encoding, which is a reversible process, not an encryption method. Anyone monitoring the network traffic (such as, in a Man-in-the-Middle attack) can easily decode the Base64 string to obtain the plain-text username and password. 

  • Credentials Sent with Every Request: The browser automatically sends the credentials in the header of every subsequent HTTP request to the same domain during a session. This increases the risk of the credentials being exposed across multiple interactions if any part of the communication channel is compromised. 

  • Lack of Session Management: Basic Authentication lacks a built-in, secure mechanism for session management, tokens, or explicit logout functionality, meaning cached credentials may persist in the browser for an extended period, increasing the potential for misuse, especially on shared computers. 

Action Required  

Clients must transition to OAuth 2.0 Client Credential flow for authentication when accessing Pega REST inbound APIs. You can implement OAuth 2.0 using either Pega or an external Identity Provider (IdP). 

As a best practice, avoid using HTTP Basic authentication Service Packages because they actively expose your systems to credential interception, unauthorized access, and potential data breaches. 

To see attachments, please log in.
GCS Technical Communications

  • Reply
  • Arvind Kumar Tripathi

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice