Add resident KM requirement note to Basic Authentication docs

[Copilot]

Basic Authentication in WSO2 API Manager only works with the resident Key Manager. When a third-party KM is configured, only OAuth2 is supported — but this limitation was never documented explicitly.

Purpose

Documents the undocumented limitation that Basic Auth is incompatible with third-party Key Manager configurations. Resolves the gap identified for v4.6.0.

Goals

Add a visible note to the Basic Auth documentation page so users are immediately aware that Basic Auth requires the WSO2 resident Key Manager and that OAuth2 must be used when a third-party KM is in place.

Approach

Added a !!! note admonition near the top of en/docs/api-security/runtime/api-authentication/secure-apis-using-basic-authentication.md, placed right after the intro paragraph and before any configuration steps:

!!! note
    Basic Authentication is only supported when using the **WSO2 resident Key Manager**. If a third-party Key Manager is configured, Basic Authentication will not function and only OAuth2-based authentication is supported for API invocations in that scenario.

User stories

• As an API consumer configuring a third-party KM, I need to know upfront that Basic Auth won't work so I configure OAuth2 instead and avoid wasted debugging time.

Release note

Added a note to the Basic Authentication documentation clarifying that Basic Auth is only supported with the WSO2 resident Key Manager. Third-party KM configurations must use OAuth2 for API authentication.

Documentation

en/docs/api-security/runtime/api-authentication/secure-apis-using-basic-authentication.md — this PR is the documentation change.

Training

N/A

Certification

N/A — no behavioral change; documentation clarification only.

Marketing

N/A

Automation tests

• Unit tests: N/A — documentation change only
• Integration tests: N/A — documentation change only

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes
• Ran FindSecurityBugs plugin and verified report? N/A — documentation only
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes

Samples

N/A

Related PRs

N/A

Migrations (if applicable)

N/A

Test environment

N/A — documentation change only

Learning

N/A

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add a note to Basic Auth Section mentioning that it will only work with resident KM</issue_title>
<issue_description>### Current Limitation

If third-party KM configured , then you Basic Auth with the IS provisioned users. We only support OAuth in that use case. Even though we haven't explicitly said that in the docs, we have mentioned that token validation is for JWT in several places.
This need to be properly added to the doc.

Suggested Improvement

Improve the Basic auth section mentioning above

Version

4.6.0</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add a note to Basic Auth Section mentioning that it will only work with resident KM #10975

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ AnuGayan
❌ Copilot
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

Documents a previously undocumented limitation in WSO2 API Manager: Basic Authentication only works with the resident Key Manager, and third-party Key Manager setups require OAuth2-based authentication.

Changes:

• Added a !!! note admonition to the Basic Authentication documentation clarifying the resident Key Manager requirement.
• Explicitly states that Basic Authentication will not work when a third-party Key Manager is configured, and OAuth2 must be used instead.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.