Skip to main content
All CollectionsQuick how to's!Authentication
How to authenticate to scan an API target (OpenAPI)
How to authenticate to scan an API target (OpenAPI)

Learn how to configure Probely to authenticate and scan an API using an OpenAPI schema.

Ana Pascoal avatar
Written by Ana Pascoal
Updated over 8 months ago

If you have an OpenAPI schema for an API with authentication, Probely can be configured to run authenticated requests and scan the API endpoints.

After adding an API target to Probely, go to the settings of the API target, and configure Probely's authentication for these scenarios:

The following sections detail the authentication configuration for each scenario.

Authenticate with a fixed API key in the request header

In this scenario, you have a fixed API key that must be placed in the header of all requests.

This is the simplest scenario, as you only need to add a Custom Header with the appropriate header name and its value.

To configure this option, proceed as follows:

  1. In the Probely app, go to the TARGETS tab and click on the cogwheel of the row whose target you want to configure.

  2. Click on the SCANNER tab, go to the CUSTOM HEADERS section, and configure a Custom header name and a Custom header value. In this example, it is Authorization and Bearer.

Authenticate with an API token in the request header

In this scenario, you get an API token from an endpoint that authenticates you, for instance, with a pair of credentials, such as a username and a password.

This authentication pattern is often found on APIs that support web applications: the user authenticates himself with his username and password, obtaining a token used on all requests thereafter.

To configure this option, proceed as follows:

  1. In the Probely app, go to the TARGETS tab and, in the line of the target to configure, click on the cogwheel to open the target settings.

  2. Click on the AUTHENTICATION tab and scroll down to the API TARGET AUTHENTICATION section.


    Fill out the form as follows:

    1. Select the AUTHENTICATIONN MEDIA TYPE of the payload/request to the authentication endpoint

    2. Type the authentication URL in the LOGIN URL field.

    3. In the AUTHENTICATION PAYLOAD, type the authentication content to send in the payload of the POST request to the LOGIN URL.

    4. Click FETCH to authenticate, and the TOKEN SELECTOR is filled with a list of fields obtained in the authentication response. If the authentication fails, an error is displayed.

    5. In the TOKEN SELECTOR, choose the field that contains the authentication token.

    6. In the PLACE TOKEN IN, choose where to place the token in the API requests.
      In most cases, the token is placed in the header. The other option is cookie.

    7. In the FIELD NAME, enter the name of the field in the header or cookie that will hold the token.

    8. Optionally, set a VALUE PREFIX for the token value.
      This is often needed for JWTs. For instance, if your API requires you to send a header like: Authorization: JWT <token>, set the following values:

      1. FIELD NAME: Authorization
        Without the colon ( :) separator.

      2. VALUE PREFIX: JWT
        Remember to add a space at the end so that the JWT and the token are properly separated.

    9. Click on SAVE AND ENABLE.

You can disable/enable this authentication anytime with the Off/On toggle button or delete the configuration using the DELETE button.

Authenticate with a fixed API key in a request parameter

In this scenario, you have a fixed API key that must be placed in a specific parameter.

To configure this option, proceed as follows:

  1. In the Probely app, go to the TARGETS tab and, in the line of the target to configure, click on the cogwheel to open the target settings.

  2. Click on the SCANNER tab, go to the API SCANNING SETTINGS section, and inside it, go to the API PARAMETER CUSTOM VALUES.


    Fill out the custom values as follows:

    1. Type the field name. For example, "token".

    2. Type the field value, which should be your API key.

    3. Click on ADD.

You can add multiple entries if your API key location varies. For example, if you use key for GETs and token for POSTs, add both fields with the same value. Probely will use the right one for each endpoint.

Did this answer your question?