diff --git a/auth/request.go b/auth/request.go
index aef2ed0..ed58af2 100644
--- a/auth/request.go
+++ b/auth/request.go
@@ -14,7 +14,12 @@ var ErrNoCredentials = errors.New("no credentials provided")
 // RequestAuthenticator extracts credentials from an HTTP request and delegates
 // verification to a BasicAuthenticator. It supports Basic Auth, Authorization
 // header tokens, custom token headers, and query-parameter tokens.
+//
+// Use NewRequestAuthenticator for sane defaults.
 type RequestAuthenticator struct {
+	// AuthenticateBasic enables HTTP Basic Auth (Authorization: Basic …).
+	AuthenticateBasic bool
+
 	// AuthorizationSchemes lists accepted schemes for "Authorization: <scheme> <token>".
 	// nil or an empty slice skips the Authorization header entirely;
 	// ["*"] accepts any scheme; ["Bearer", "Token"] restricts to those schemes.
@@ -29,6 +34,18 @@ type RequestAuthenticator struct {
 	TokenQueryParams []string
 }
 
+// NewRequestAuthenticator returns a RequestAuthenticator with sane defaults:
+// Basic Auth enabled, Bearer/Token Authorization schemes, common API-key
+// headers, and access_token/token query params.
+func NewRequestAuthenticator() *RequestAuthenticator {
+	return &RequestAuthenticator{
+		AuthenticateBasic:    true,
+		AuthorizationSchemes: []string{"Bearer", "Token"},
+		TokenHeaders:         []string{"X-API-Key", "X-Auth-Token", "X-Access-Token"},
+		TokenQueryParams:     []string{"access_token", "token"},
+	}
+}
+
 // Authenticate extracts credentials from r in this order:
 //  1. Basic Auth (Authorization: Basic …)
 //  2. Authorization: <scheme> <token> (filtered by AuthorizationSchemes)
@@ -38,8 +55,10 @@ type RequestAuthenticator struct {
 // Returns ErrNoCredentials if no credential form is present in the request.
 func (ra *RequestAuthenticator) Authenticate(r *http.Request, a BasicAuthenticator) (BasicPrinciple, error) {
 	// 1. Basic Auth
-	if username, password, ok := r.BasicAuth(); ok {
-		return a.Authenticate(username, password)
+	if ra.AuthenticateBasic {
+		if username, password, ok := r.BasicAuth(); ok {
+			return a.Authenticate(username, password)
+		}
 	}
 
 	// 2. Authorization: <scheme> <token>
diff --git a/cmd/smsapid/main.go b/cmd/smsapid/main.go
index ac9b968..0885b11 100644
--- a/cmd/smsapid/main.go
+++ b/cmd/smsapid/main.go
@@ -36,6 +36,7 @@ var pingWriter jsonl.Writer
 var smsAuth *csvauth.Auth
 
 var smsRequestAuth = &auth.RequestAuthenticator{
+	AuthenticateBasic:    true,
 	AuthorizationSchemes: []string{"*"},
 	TokenHeaders:         []string{"API-Key", "X-API-Key"},
 }