If you have an OpenAPI schema for an API with authentication, Snyk API & Web can be configured to run authenticated requests and scan the API endpoints.
After adding an API target to Snyk API & Web, go to the settings of the API target, and configure the Snyk API & Web authentication for these scenarios:
The following sections detail the authentication configuration for each scenario.
Authenticate with a fixed API key in the request header
In this scenario, you have a fixed API key that must be placed in the header of all requests.
This is the simplest scenario, as you only need to add a Custom Header with the appropriate header name and its value.
To configure this option, proceed as follows:
In the Snyk API & Web app, go to the Targets menu and click on the cogwheel of the row whose target you want to configure.
Click on the SCANNER tab, go to the CUSTOM HEADERS section, and configure a Custom header name and a Custom header value. In this example, it is
AuthorizationandBearer.
Authenticate with an API token in the request header
In this scenario, you get an API token from an endpoint that authenticates you, for instance, with a pair of credentials, such as a username and a password.
This authentication pattern is often found on APIs that support web applications: the user authenticates himself with his username and password, obtaining a token used on all requests thereafter.
To configure this option, proceed as follows:
In the Snyk API & Web app, go to the Targets menu and click on the cogwheel to open the target settings.
Click on the AUTHENTICATION tab and scroll down to the API TARGET AUTHENTICATION section.
Fill out the form as follows:Select the AUTHENTICATION MEDIA TYPE of the payload/request to the authentication endpoint
Type the authentication URL in the LOGIN URL field.
In the AUTHENTICATION PAYLOAD, type the authentication content to send in the payload of the POST request to the LOGIN URL.
Click Fetch to authenticate, and the TOKEN SELECTOR is filled with a list of fields obtained in the authentication response. If the authentication fails, an error is displayed.
In the TOKEN SELECTOR, choose the field that contains the authentication token.
In the PLACE TOKEN IN, choose where to place the token in the API requests.
In most cases, the token is placed in the header. The other option is cookie.In the FIELD NAME, enter the name of the field in the header or cookie that will hold the token.
Optionally, set a VALUE PREFIX for the token value.
This is often needed for JWTs. For instance, if your API requires you to send a header like:Authorization: JWT <token>, set the following values:
FIELD NAME:
Authorization
Without the colon (:) separator.VALUE PREFIX:
JWT
Remember to add a space at the end so that the JWT and the token are properly separated.
Click on Save and enable.
You can disable/enable this authentication anytime with the Off/On toggle button or delete the configuration using the Delete button.
Authenticate with a fixed API key in a request parameter
In this scenario, you have a fixed API key that must be placed in a specific parameter.
To configure this option, proceed as follows:
In the Snyk API & Web app, go to the Targets menu entry and, in the line of the target to configure, click on the cogwheel to open the target settings.
Click on the SCANNER tab, go to the API SCANNING SETTINGS section, and inside it, go to the API PARAMETER CUSTOM VALUES.
Fill out the custom values as follows:
Type the field name. For example, "token".
Type the field value, which should be your API key.
Click on Add.
You can add multiple entries if your API key location varies. For example, if you use key for GETs and token for POSTs, add both fields with the same value. Snyk API & Web will use the right one for each endpoint.