Skip to main content

API Authentication

Proofarc supports 5 authentication types for API testing. Auth is configured once per scenario and applied automatically to every step.

Bearer Token (Login Endpoint)

The most common type. Proofarc calls your login endpoint, extracts the token, and applies it to all subsequent requests.

"authConfig": {
"authType": "BEARER",
"tokenSource": "LOGIN_ENDPOINT",
"loginEndpoint": "/auth/login",
"tokenJsonPath": "$.accessToken",
"credentials": {
"username": "your-user",
"password": "your-password"
}
}
FieldDescription
loginEndpointPath appended to baseUrl to get the token
tokenJsonPathJSONPath to extract token from login response
credentialsUsername/password sent in the login body

OAuth2 Client Credentials

For APIs using OAuth2. Proofarc calls the token endpoint with client credentials.

"authConfig": {
"authType": "OAUTH2_CLIENT",
"tokenUrl": "https://auth.example.com/oauth/token",
"clientId": "your-client-id",
"clientSecret": "your-secret",
"scope": "read:users write:users"
}

Static Bearer Token

For CI/CD pipelines or service accounts with pre-generated tokens.

"authConfig": {
"authType": "BEARER",
"tokenSource": "STATIC",
"bearerToken": "your-pre-generated-token"
}

Basic Auth

HTTP Basic Authentication — username and password encoded in the header.

"authConfig": {
"authType": "BASIC",
"username": "your-user",
"password": "your-password"
}

API Key

API key sent in a header or query parameter.

"authConfig": {
"authType": "API_KEY",
"apiKeyLocation": "HEADER",
"apiKeyName": "X-API-Key",
"apiKeyValue": "your-api-key"
}

apiKeyLocation can be HEADER or QUERY.

Auth Per Environment

When running the same scenario against different environments, auth can be configured per environment target. The scenario uses the environment's auth configuration automatically.

Authenticated Apps: Wiring a Usable Auth Source

When a scenario's application is marked authRequirement=AUTHENTICATED, the platform refuses to execute unless a usable auth source is configured — otherwise the run would 403 on the first protected step. The refusal is an explicit HTTP 400 at execute time with an actionable message (not a silent failure).

A credential alone is not always enough — it must be applicable:

Credential kindUsable on its own?What else is needed
Static bearer token✅ Yesnothing — applied as Authorization: Bearer …
API key (apiKeyName + apiKeyValue)✅ Yesnothing — applied as the configured header
username / password❌ Noa login endpoint to exchange them for a token
OAuth2 clientId / clientSecret❌ Noa token endpoint

So there are three ways to satisfy the gate:

  1. Environment credential + credential_tag. A static-token or API-key credential works immediately. For username/password, also configure the environment login endpoint:

    add_environment_credential(environment=<env>, tag="admin", username="admin", password="…")
    set_environment_auth_endpoint(environment=<env>, login_endpoint="/auth/login", token_json_path="$.accessToken")
    execute_scenario(scenario=<id>, credential_tag="admin") → COMPLETED
  2. Per-target auth via set_target_auth — the target carries its own login config (no env reconfiguration):

    set_target_auth(target=<id>, auth_config={
    "authType": "LOGIN_ENDPOINT", "credentialTag": "admin",
    "loginUrl": "/auth/login", "tokenJsonPath": "$.accessToken"
    })
  3. Public-only run. If this execution only hits public endpoints (e.g. a health check), bypass the gate explicitly:

    execute_scenario(scenario=<id>, allow_unauthenticated=true)

If you pass a username/password credential with no login flow anywhere, you get a clear 400:

credential 'admin' resolves to an active credential but it is username/password only and there is NO login flow — use set_environment_auth_endpoint, or a credential that carries a static token or API key.

Shared With Security Scanners

Auth configured on an environment target is shared across the entire platform:

  • API scenarios — auth header applied to every step
  • Performance tests — each virtual user authenticates independently
  • Security scans — ZAP, Nikto, Nuclei, SQLMap all use the same auth

Configure auth once on your target, and every test type uses it automatically. See Authenticated Scanning for details.

Testing Auth

After configuring auth, the first step of your scenario will include the auth header automatically. You don't need to add Authorization headers manually to each step.