diff --git a/rest_model_zrok/auth_user.go b/rest_model_zrok/auth_user.go
new file mode 100644
index 00000000..c6a4ded0
--- /dev/null
+++ b/rest_model_zrok/auth_user.go
@@ -0,0 +1,53 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package rest_model_zrok
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// AuthUser auth user
+//
+// swagger:model authUser
+type AuthUser struct {
+
+	// password
+	Password string `json:"password,omitempty"`
+
+	// username
+	Username string `json:"username,omitempty"`
+}
+
+// Validate validates this auth user
+func (m *AuthUser) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this auth user based on context it is used
+func (m *AuthUser) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *AuthUser) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *AuthUser) UnmarshalBinary(b []byte) error {
+	var res AuthUser
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
diff --git a/rest_model_zrok/tunnel_request.go b/rest_model_zrok/tunnel_request.go
index aff1636f..95e21acf 100644
--- a/rest_model_zrok/tunnel_request.go
+++ b/rest_model_zrok/tunnel_request.go
@@ -7,7 +7,9 @@ package rest_model_zrok
 
 import (
 	"context"
+	"strconv"
 
+	"github.com/go-openapi/errors"
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
 )
@@ -17,6 +19,12 @@ import (
 // swagger:model tunnelRequest
 type TunnelRequest struct {
 
+	// auth scheme
+	AuthScheme string `json:"authScheme,omitempty"`
+
+	// auth users
+	AuthUsers []*AuthUser `json:"authUsers"`
+
 	// endpoint
 	Endpoint string `json:"endpoint,omitempty"`
 
@@ -26,11 +34,75 @@ type TunnelRequest struct {
 
 // Validate validates this tunnel request
 func (m *TunnelRequest) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateAuthUsers(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
 	return nil
 }
 
-// ContextValidate validates this tunnel request based on context it is used
+func (m *TunnelRequest) validateAuthUsers(formats strfmt.Registry) error {
+	if swag.IsZero(m.AuthUsers) { // not required
+		return nil
+	}
+
+	for i := 0; i < len(m.AuthUsers); i++ {
+		if swag.IsZero(m.AuthUsers[i]) { // not required
+			continue
+		}
+
+		if m.AuthUsers[i] != nil {
+			if err := m.AuthUsers[i].Validate(formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("authUsers" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("authUsers" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// ContextValidate validate this tunnel request based on the context it is used
 func (m *TunnelRequest) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.contextValidateAuthUsers(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *TunnelRequest) contextValidateAuthUsers(ctx context.Context, formats strfmt.Registry) error {
+
+	for i := 0; i < len(m.AuthUsers); i++ {
+
+		if m.AuthUsers[i] != nil {
+			if err := m.AuthUsers[i].ContextValidate(ctx, formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("authUsers" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("authUsers" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
 	return nil
 }
 
diff --git a/rest_server_zrok/embedded_spec.go b/rest_server_zrok/embedded_spec.go
index c2eebc2c..cdbe2f05 100644
--- a/rest_server_zrok/embedded_spec.go
+++ b/rest_server_zrok/embedded_spec.go
@@ -287,6 +287,17 @@ func init() {
         }
       }
     },
+    "authUser": {
+      "type": "object",
+      "properties": {
+        "password": {
+          "type": "string"
+        },
+        "username": {
+          "type": "string"
+        }
+      }
+    },
     "enableRequest": {
       "type": "object",
       "properties": {
@@ -418,6 +429,15 @@ func init() {
     "tunnelRequest": {
       "type": "object",
       "properties": {
+        "authScheme": {
+          "type": "string"
+        },
+        "authUsers": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/authUser"
+          }
+        },
         "endpoint": {
           "type": "string"
         },
@@ -730,6 +750,17 @@ func init() {
         }
       }
     },
+    "authUser": {
+      "type": "object",
+      "properties": {
+        "password": {
+          "type": "string"
+        },
+        "username": {
+          "type": "string"
+        }
+      }
+    },
     "enableRequest": {
       "type": "object",
       "properties": {
@@ -861,6 +892,15 @@ func init() {
     "tunnelRequest": {
       "type": "object",
       "properties": {
+        "authScheme": {
+          "type": "string"
+        },
+        "authUsers": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/authUser"
+          }
+        },
         "endpoint": {
           "type": "string"
         },
diff --git a/specs/zrok.yml b/specs/zrok.yml
index 673a86e6..09dae9ea 100644
--- a/specs/zrok.yml
+++ b/specs/zrok.yml
@@ -171,6 +171,14 @@ definitions:
       token:
         type: string
 
+  authUser:
+    type: object
+    properties:
+      username:
+        type: string
+      password:
+        type: string
+
   enableRequest:
     type: object
     properties:
@@ -268,6 +276,12 @@ definitions:
         type: string
       endpoint:
         type: string
+      authScheme:
+        type: string
+      authUsers:
+        type: array
+        items:
+          $ref: "#/definitions/authUser"
   tunnelResponse:
     type: object
     properties:
diff --git a/ui/src/api/types.js b/ui/src/api/types.js
index 9fd5c245..e8e1e5d8 100644
--- a/ui/src/api/types.js
+++ b/ui/src/api/types.js
@@ -16,6 +16,14 @@
  * @property {string} token 
  */
 
+/**
+ * @typedef authUser
+ * @memberof module:types
+ * 
+ * @property {string} username 
+ * @property {string} password 
+ */
+
 /**
  * @typedef enableRequest
  * @memberof module:types
@@ -87,6 +95,8 @@
  * 
  * @property {string} zitiIdentityId 
  * @property {string} endpoint 
+ * @property {string} authScheme 
+ * @property {module:types.authUser[]} authUsers 
  */
 
 /**