All Collections
Quick how to's!
How to authenticate to scan an API target (OpenAPI)
How to authenticate to scan an API target (OpenAPI)

How to configure Probely to authenticate to scan endpoints of an API using an OpenAPI schema.

Jaime Vasconcelos avatar
Written by Jaime Vasconcelos
Updated over a week ago

If you have an OpenAPI schema for an API with authentication, Probely can be configured to run authenticated requests and scan the API endpoints.

After adding an API target to Probely, go to the setting of the API target, and configure Probely's authentication from the following scenarios:

The following sections detail the authentication configuration for each scenario.

Authenticate with a fixed API key in the request header

In this scenario, you have a fixed API key that must be placed in the header of all requests.

This is the simplest scenario, as you only need to add a Custom Header with the appropriate header name, Authorization in this example, and its value.

Authenticate with an API token in the request header

In this scenario, you get an API token from an endpoint that authenticates you, for instance, with a pair of credentials, such as a username and a password.

This authenticating pattern is often found on APIs that support web applications: the user authenticates himself with his username and password, obtaining a token used on all requests thereafter.

Go to the API Target Authentication section of the Authentication tab, and fill in the appropriate values:

  • Authentication Media Type: the content type of the payload/request to the authentication endpoint

  • Login URL: the authentication URL

  • Authentication Payload: the content to send to the Login URL and the request uses the POST method

Click Fetch to perform the authentication and the Token Field Name will list the fields obtained in the authentication response. Choose the field that contains the authentication token. If the authentication fails, an error is displayed.

Next, at Place Token In, choose where to place the token in the API requests. In most cases, the token is placed in a header. The other option is cookie.

In Field Name, enter the name of the header or cookie that will hold the token.

Optionally, set a Value Prefix for the token value. This is often needed for JWTs. For instance, if your API requires you to send a header Authorization: JWT <token>, set the following values:

  • Field Name: Authorization
    Without the colon ( :) separator

  • Value Prefix: JWT
    Note the space at the end, so that the JWT and the token are properly separated

Press Save.

Authenticate with a fixed API key in a request parameter

In this scenario, you have a fixed API key that must be placed in a specific parameter.
In the API Scanning Settings section, add an API Parameter Custom Value, with the field's name and the respective value. The field value should be your API key.

You can add multiple entries if your API key location varies. For example, if you use key for GETs and token for POSTs, add both fields with the same value. Probely will use the right one for each endpoint.

Did this answer your question?