If you have an OpenAPI schema for an API with authentication, Snyk API & Web can be configured to run authenticated requests and scan the API endpoints.
After adding an API target, go to its settings and configure authentication. Possible scenarios:
The following sections detail the authentication configuration for each scenario.
Authenticate with an API token in the request header
In this scenario, you get an API token from an endpoint that authenticates you, for instance, with a pair of credentials, such as a username and a password.
This authentication pattern is often found on APIs that support web applications: the user authenticates himself with his username and password, obtaining a token used on all requests thereafter.
To configure this option, proceed as follows:
In the Snyk API & Web app, go to the Targets menu and select the cogwheel to open the target settings.
On the Authentication tab, locate the API TARGET AUTHENTICATION module.
Fill out the form as follows:
Select the AUTHENTICATION MEDIA TYPE of the payload/request to the authentication endpoint. For OpenAPI, you can select two different media types:
application/json: key-value pairs in a JSON object.application/x-www-form-urlencoded: key-value pairs separated by ampersands, for exampleusername=admin&password=pass123.
Type the authentication URL in the LOGIN URL field.
In the AUTHENTICATION PAYLOAD, type the authentication content to send in the payload of the POST request to the LOGIN URL.
Select Fetch to authenticate, and the TOKEN SELECTOR is filled with a list of fields obtained in the authentication response. If the authentication fails, an error is displayed.
In the TOKEN SELECTOR, choose the field that contains the authentication token.
In the PLACE TOKEN IN, choose where to place the token in the API requests.
In most cases, the token is placed in the header. The other option is cookie.In the FIELD NAME, enter the name of the field in the header or cookie that will hold the token.
Optionally, set a VALUE PREFIX for the token value.
This is often needed for JWTs. For instance, if your API requires you to send a header like:Authorization: JWT <token>, set the following values:
FIELD NAME:
AuthorizationVALUE PREFIX:
JWT
Select Save and ensure the authentication toggle is set to On.
Authenticate with a static header/cookie
In this scenario, you have a static header/cookie that must be present in all requests.
This is the simplest scenario, as you only need to add a Custom Header/Cookie with the appropriate header name and its value.
To configure this option, proceed as follows:
In the Snyk API & Web app, go to the Targets menu and select the cogwheel of the row whose target you want to configure.
On the Authentication tab, locate the API TARGET AUTHENTICATION module and select the Static headers/cookies option. Configure a Custom header/cookie name and a Custom header/cookie value, and select Add.
When you’re done, don’t forget to select Save and ensure the authentication toggle is set to On.
For the two scenarios described above, you can turn API Target Authentication on/off at any time with the Off/On toggle button or delete the configuration using the Delete button.
Authenticate with a fixed API key in a request parameter
In this scenario, you have a fixed API key that must be placed in a specific parameter.
To configure this option, proceed as follows:
In the Snyk API & Web app, go to the Targets menu and select the cogwheel to open the target settings.
Select the Scanner tab, locate the API SCANNING SETTINGS module, and inside it, go to the API Parameter Custom Values.
Fill out the custom values as follows:
Type the field name. For example, "token".
Type the field value, which should be your API key.
Select Add.
You can add multiple entries if your API key location varies. For example, if you use key for GETs and token for POSTs, add both fields with the same value. Snyk API & Web will use the right one for each endpoint.