Getting Started

Authenticated API Scan

Modern APIs often protect endpoints behind authentication layers like tokens, cookies, or session-based logins. To effectively test these endpoints, ZeroThreat allows you to configure Authenticated API Scans.

Unlike Unauthenticated API Scans, which only target public endpoints, an authenticated scan allows ZeroThreat to interact with and test endpoints that require valid credentials or session tokens. This ensures your critical APIs are also covered in your security testing.

Before proceeding, it’s important to note that API Authentication is configured at the collection level. This means you’ll first need to create a Collection for your API target—where all your API definitions (endpoints) are managed. If your collection is already created, you’re ready to configure authentication and run your first authenticated API scan.

Step 1: Start a New Authenticated API Scan

  1. Go to the ZeroThreat Dashboard and select your API Target.
  2. Ensure an API Collection already exists for this target. If not, refer to the Creating a Collection guide.
  3. Click on “Start New Authenticated API Scan”. This will open the API Scan Configuration Drawer, where you’ll define how ZeroThreat should authenticate against your APIs.
Thumbnail

Step 2: Create an API Authentication Configuration

Inside the drawer:

  • Select API Collection Source: Choose the collection you want to configure authentication for.
Thumbnail

  • Enter a Description: Name will be auto-generated by ZeroThreat, so give your configuration a meaningful description that will be useful to you later

Step 3: Choose Your Authentication Method

ZeroThreat offers three API authentication methods:

Thumbnail

Authentication TypePurpose
Custom HeadersFor static tokens, cookies or fixed header-based authentication.
Configure Authentication Request PayloadFor dynamic login flows where tokens are generated at runtime and may expire after certain time, making it essential to generate fresh login before each scan to ensure valid authentication (pair with Refresh Token if tokens are short-lived).
Third-Party Login RequestFor apps using an 3rd party API's (OAuth 2.0 and others). Configure the token endpoint, request body, and optional headers so ZeroThreat fetches an access token at scan start—no login endpoint from your API collection required (pair with Refresh Token if tokens are short-lived).

Option 1: Custom Headers

If your API uses static tokens or keys:

  • Go with custom headers approach and click on Add Custom headers.
  • Add one or more Header Name / Value pairs and click on Save.
Thumbnail

  • These headers will be sent with every API request during the scan.
This is ideal for APIs that don’t require dynamic login but rely on a constant key or token.

Option 2: Configure Authentication Request Payload

For APIs that require a login flow:

  1. Go with Authentication Request Payload approach and click on Add Credentials.
  2. A new drawer will appear showing all available API endpoints from your collection.
Thumbnail

Here, select:

  • Login API: The endpoint used for user authentication, where the session starts and tokens are typically generated. If your login request doesn't have any values in the JSON then the dropdown will open and you will need to fill the values required for login. Once done you will be able to select the login endpoint.
  • Logout API: If your API includes a logout endpoint, select it here. If no logout API exists, you can select any placeholder endpoint to proceed.

Note: Skip the next step of Response Property Mapping if your Login API returns authentication token value in Response headers.

Response Property Mapping (Only Required When Token is in Response Body)

In some APIs, the authentication token (such as a Bearer token or session cookies) are returned inside the response body of the login API—rather than in the response headers. In these cases, ZeroThreat needs to know where exactly in the response body the token is located, so it can extract the value and automatically insert it as a header for all subsequent API requests during the scan.

You’ll do this by setting up a Response Property Mapping.

Example Scenario:

{
  "data": {
    "user": {
      "token": "abc123xyz"
    }
  }
}

For this example:

  • Header Name: Authorization
  • Response Property Path: data.user.token

ZeroThreat will parse the JSON body, locate the token at the specified path, and add it to the Authorization header for all future API requests in the scan.

Response Property Mapping is only required if your token is returned in the response body.
If your token is already provided in the response headers, ZeroThreat will automatically handle it—no mapping needed.

This mapping step ensures ZeroThreat can successfully authenticate on each API call by dynamically attaching the correct token.

Option 3: Add Third Party Login Request

You can use this method of authentication when your application relies on an external identity provider (OAuth 2.0 or other 3rd party API's) to issue access tokens. Instead of picking a login endpoint from your API collection, you define the token request here. ZeroThreat will run this request before the scan, capture the access token, and attach it to all subsequent API calls.

Configure a Third-Party Login Request

  1. Click on Add Third-Party Login Request in the Authenticated API Scan configuration.
Thumbnail

  1. Fill the basic Request details
  • HTTP Method: Usually POST.
  • URL: Your 3rd party token endpoint (e.g., https://zerothreat.example.com/oauth/token).
  • Content type: As required by the endpoint
Thumbnail

  1. Configure Payload : Request Body Add the fields your token endpoint expects. Common examples includes login, password, auth_type, grant_type, client_id, scope, code, and more.
    Thumbnail

  2. Configure Payload : Request Header (optional) You can add additional headers to this token request, if your token endpoint requires them—e.g., Referer, Host, Accept, Content-Type or any other required headers.
Thumbnail

  1. Configure Payload : Response Property Mapping with Header (optional)
    This step is only required if your API sends the generated token in Response body, if it is returned in Response header then you can skip this step. In other cases, you need to map the Response Body token field to Request Headers for all subsequent API Calls. See the Response Property Mapping section above for details.
    Thumbnail

In the above example, ZeroThreat will take the value of data.user.token and bind it to the value of Authorization header with prefix for all subsequent API calls. This enables that an authenticated API scan with freshly generated token value is used for authenticated API scanning.

  1. Click Save () button to finalize the login setup. ZeroThreat will execute this request at scan start and use the resulting token automatically in all future scans.

Refresh Token

Some APIs issue short-lived access tokens (e.g., JWTs) and expect clients to refresh them before they expire. Use this when your token has a TTL: ZeroThreat will call your refresh endpoint on a schedule, use the existing token to obtain a new access token, and keep scanning without interruption. This pattern is common in OAuth 2.0 (“refresh_token” grant) and similar rotating-token schemes.

Note: This configuration is not mandatory, and it is only required if your API access tokens are short-lived (expire in short time).

Step 4: Save and Start the Scan

Once your authentication setup is complete:

  • Click “Save Configuration & Exit” if you want to save the config for later use.
  • Or choose “Save & Start Scan” to immediately launch the authenticated API scan.

You can monitor the scan progress from the Scans section and review detailed results in your Scan Report once the scan finishes.

Next Step? Learn how to Interpret Scan Results and analyze vulnerabilities found in your API endpoints in Scan Report guide.