Getting Started

Authenticated API Scan

Modern APIs often protect endpoints behind authentication layers like tokens, cookies, or session-based logins. To effectively test these endpoints, ZeroThreat allows you to configure Authenticated API Scans.

Unlike Unauthenticated API Scans, which only target public endpoints, an authenticated scan allows ZeroThreat to interact with and test endpoints that require valid credentials or session tokens. This ensures your critical APIs are also covered in your security testing.

Before proceeding, it’s important to note that API Authentication is configured at the collection level. This means you’ll first need to create a Collection for your API target—where all your API definitions (endpoints) are managed. If your collection is already created, you’re ready to configure authentication and run your first authenticated API scan.

Step 1: Start a New Authenticated API Scan

  1. Go to the ZeroThreat Dashboard and select your API Target.
  2. Ensure an API Collection already exists for this target. If not, refer to the Creating a Collection guide.
  3. Click on “Start New Authenticated API Scan”. This will open the API Scan Configuration Drawer, where you’ll define how ZeroThreat should authenticate against your APIs.
Thumbnail

Step 2: Create an API Authentication Configuration

Inside the drawer:

  • Select API Collection Source: Choose the collection you want to configure authentication for.
Thumbnail

  • Enter a Name and Description:
    Give your configuration a meaningful name and a description to help identify it later (e.g., "Build v2.4.11 API Scan").

Step 3: Choose Your Authentication Method

ZeroThreat offers two API authentication methods:

Authentication TypePurpose
Custom HeadersFor static tokens, cookies or fixed header-based authentication.
Configure Authentication Request PayloadFor dynamic login flows where tokens are generated at runtime and may expire after certain time, making it essential to generate fresh login before each scan to ensure valid authentication.
Thumbnail

Option 1: Custom Headers

If your API uses static tokens or keys:

  • Go with custom headers approach and click on Add Custom headers.
  • Add one or more Header Name / Value pairs and click on Save.
Thumbnail

  • These headers will be sent with every API request during the scan.
    This is ideal for APIs that don’t require dynamic login but rely on a constant key or token.

Option 2: Configure Authentication Request Payload

For APIs that require a login flow:

  1. Go with Authentication Request Payload approach and click on Add Credentials.
  2. A new drawer will appear showing all available API endpoints from your collection.
Thumbnail

Here, select:

  • Login API: The endpoint used for user authentication, where the session starts and tokens are typically generated.
  • Authorized API: An endpoint that requires valid authentication, used by ZeroThreat to confirm that the login was successful.
  • Logout API (Optional): If your API includes a logout endpoint, select it here. If no logout API exists, you can select any placeholder endpoint to proceed.

Note: Skip the next step of Response Property Mapping if your Login API returns authentication token value in Response headers.

Response Property Mapping (Only Required When Token is in Response Body)

In some APIs, the authentication token (such as a Bearer token or session cookies) are returned inside the response body of the login API—rather than in the response headers. In these cases, ZeroThreat needs to know where exactly in the response body the token is located, so it can extract the value and automatically insert it as a header for all subsequent API requests during the scan.

You’ll do this by setting up a Response Property Mapping.

Example Scenario:

{
  "data": {
    "user": {
      "token": "abc123xyz"
    }
  }
}

For this example:

  • Header Name: Authorization
  • Response Property Path: data.user.token

ZeroThreat will parse the JSON body, locate the token at the specified path, and add it to the Authorization header for all future API requests in the scan.

Response Property Mapping is only required if your token is returned in the response body.
If your token is already provided in the response headers, ZeroThreat will automatically handle it—no mapping needed.

This mapping step ensures ZeroThreat can successfully authenticate on each API call by dynamically attaching the correct token.

Step 4: Save and Start the Scan

Once your authentication setup is complete:

  • Click “Save Configuration & Exit” if you want to save the config for later use.
  • Or choose “Save & Start Scan” to immediately launch the authenticated API scan.

You can monitor the scan progress from the Scans section and review detailed results in your Scan Report once the scan finishes.

Next Step? Learn how to Interpret Scan Results and analyze vulnerabilities found in your API endpoints in Scan Report guide.