If you have an OpenAPI schema for an API with authentication, Probely can be configured to run authenticated requests and scan the API endpoints.
After adding an API target to Probely, go to the setting of the API target, and configure Probely's authentication from the following scenarios:
The following sections detail the authentication configuration for each scenario.
Authenticate with a fixed API key in the request header
In this scenario, you have a fixed API key that must be placed in the header of all requests.
This is the simplest scenario, as you only need to add a Custom Header with the appropriate header name, Authorization in this example, and its value.
Authenticate with an API token in the request header
In this scenario, you get an API token from an endpoint that authenticates you, for instance, with a pair of credentials, such as a username and a password.
This authenticating pattern is often found on APIs that support web applications: the user authenticates himself with his username and password, obtaining a token used on all requests thereafter.
Go to the API Target Authentication section of the Authentication tab, and fill in the appropriate values:
Authentication Media Type: the content type of the payload/request to the authentication endpoint
Login URL: the authentication URL
Authentication Payload: the content to send to the Login URL and the request uses the POST method
Click Fetch to perform the authentication and the Token Field Name will list the fields obtained in the authentication response. Choose the field that contains the authentication token. If the authentication fails, an error is displayed.
Next, at Place Token In, choose where to place the token in the API requests. In most cases, the token is placed in a header. The other option is cookie.
In Field Name, enter the name of the header or cookie that will hold the token.
Optionally, set a Value Prefix for the token value. This is often needed for JWTs. For instance, if your API requires you to send a header Authorization: JWT <token>
, set the following values:
Field Name:
Authorization
Without the colon (:
) separatorValue Prefix:
JWT
Note the space at the end, so that the JWT and the token are properly separated
Press Save.
Authenticate with a fixed API key in a request parameter
In this scenario, you have a fixed API key that must be placed in a specific parameter.
In the API Scanning Settings section, add an API Parameter Custom Value, with the field's name and the respective value. The field value should be your API key.
You can add multiple entries if your API key location varies. For example, if you use key
for GETs and token
for POSTs, add both fields with the same value. Probely will use the right one for each endpoint.