BasicAuth leads to Panel Error

Hello!

I’m seeing some odd behavior while setting up a custom route and basicAuth for my website.

Background: On this page, I generate a custom cache when fetching content from an API via a page model, similar to this: Merging content sources | Kirby CMS

To clear the cache, I wanted to set up a custom route that can be called by a cron job.

In my config file, I set up:

'api' => [
  'basicAuth' => true,
],   
'auth' => [
  'debug' => true,
]

which leads to an error:
Rate limit exceeded

when I increase the trials in the config.php for testing to 100

'auth' => [
  'trials' => 100,
]

I get
The account "intern" was not found

when I check the .logins file
{"by-ip":{"myofficesipislistedhereblablabla":{"time":1776125951,"trials":16}},"by-email":[]}

I noticed that the number of login attempts increases by 3 each time I try to access the panel.

Note

• This doesn’t happen on my local setup ONLY on the DEV Server.
• DEV-Server is protected via htpasswd
• I also tried the allowInsecure option, but it doesn’t make any difference

Bildschirmfoto 2026-04-15 um 11.02.353058×2570 158 KB

Any Ideas?

Update:
I investigated a bit further and found that the name “intern” from the error message
The account "intern" was not found comes from the user of my htpasswd account

Maybe you could use a plugin like this to protect the dev site

Hey David,

since I’m deploying the same branch for testing on both dev and live (I test it on dev first, then on live), I think having an extra plugin only for the dev page isn’t ideal for my case.

For now I I think, I just disable the htpasswd since there is no sensitive content on the dev page.

since this doesn’t work I’m a bit lost here.
Suspicious, that locally everything works flawless.

Okay, I’m pretty convinced that the problem does indeed come from the .htpasswd.

its related to this:

Note: when I removed the .htpasswd for testing, the session remained active, which interfered with the panel.