diff --git a/controller/tunnel.go b/controller/tunnel.go
index 85ab3a39..57b096f9 100644
--- a/controller/tunnel.go
+++ b/controller/tunnel.go
@@ -67,7 +67,7 @@ func (self *tunnelHandler) Handle(params tunnel.TunnelParams, principal *rest_mo
 		logrus.Error(err)
 		return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 	}
-	cfgId, err := self.createConfig(svcName, edge)
+	cfgId, err := self.createConfig(svcName, params, edge)
 	if err != nil {
 		logrus.Error(err)
 		return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
@@ -117,8 +117,20 @@ func (self *tunnelHandler) Handle(params tunnel.TunnelParams, principal *rest_mo
 	})
 }
 
-func (self *tunnelHandler) createConfig(svcName string, edge *rest_management_api_client.ZitiEdgeManagement) (cfgID string, err error) {
-	cfg := &model.ProxyConfig{AuthScheme: model.None}
+func (self *tunnelHandler) createConfig(svcName string, params tunnel.TunnelParams, edge *rest_management_api_client.ZitiEdgeManagement) (cfgID string, err error) {
+	authScheme, err := model.ParseAuthScheme(params.Body.AuthScheme)
+	if err != nil {
+		return "", err
+	}
+	cfg := &model.ProxyConfig{
+		AuthScheme: authScheme,
+	}
+	if cfg.AuthScheme == model.Basic {
+		cfg.BasicAuth = &model.BasicAuth{}
+		for _, authUser := range params.Body.AuthUsers {
+			cfg.BasicAuth.Users = append(cfg.BasicAuth.Users, &model.AuthUser{Username: authUser.Username, Password: authUser.Password})
+		}
+	}
 	cfgCrt := &rest_model.ConfigCreate{
 		ConfigTypeID: &zrokProxyConfigId,
 		Data:         cfg,
diff --git a/model/config.go b/model/config.go
index 14e9dead..b6c03e4e 100644
--- a/model/config.go
+++ b/model/config.go
@@ -1,17 +1,19 @@
 package model
 
+import "github.com/pkg/errors"
+
 const ZrokProxyConfig = "zrok.proxy.v1"
 
 type AuthScheme string
 
 const (
 	None  AuthScheme = "none"
-	Basic            = "basic"
+	Basic AuthScheme = "basic"
 )
 
 type ProxyConfig struct {
 	AuthScheme AuthScheme `json:"auth_scheme"`
-	BasicAuth  BasicAuth  `json:"basic_auth"`
+	BasicAuth  *BasicAuth `json:"basic_auth"`
 }
 
 type BasicAuth struct {
@@ -22,3 +24,14 @@ type AuthUser struct {
 	Username string `json:"username"`
 	Password string `json:"password"`
 }
+
+func ParseAuthScheme(authScheme string) (AuthScheme, error) {
+	switch authScheme {
+	case string(None):
+		return None, nil
+	case string(Basic):
+		return Basic, nil
+	default:
+		return None, errors.Errorf("unknown auth scheme '%v'", authScheme)
+	}
+}