基本身份验证不是为保护Web API的一个很好的协议，我试着在我的答案的这里和这里。

Basic authentication is not a good protocol for securing web APIs as I tried to explain in my answers here and here.

这没关系，以支持它的东西像自动化测试等，但我不会在生产中使用它。你将有一个很难保持的密码保密既不的JavaScript也不移动客户端可以信任保守秘密。

It's okay to support it for things like test automation etc, but I would not use it in production. You will have a hard time keeping the password secret as neither JavaScript nor mobile clients can be trusted to keep secrets.

这我不清楚为什么电子邮件地址不跨组织的唯一。你是不是以后发送部分at符号（@）？

It's not clear to me why email addresses are not unique across organizations. Are you not sending the part after the at-sign ('@')?

您不能在基本的身份验证凭据领域引入另一个领域。据 RFC7235 ，证书字段只能包含：

You cannot introduce another field in the basic authentication credentials field. According to RFC7235, the credentials field can only contain:

    credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

我要寻找到一个安全令牌基于身份验证方案如使用 JWT令牌。