Configuration
Configure authentication, scheduling, and rate limiting for API Scanning.
Authentication
Configuring authentication is essential for testing protected endpoints. Without valid credentials, the scanner can only reach unauthenticated parts of your API.
Supported Authentication Methods
| Method | How to configure |
|---|---|
| OAuth 2.0 | Provide the token endpoint URL, client ID, client secret, and required scopes. The scanner automatically obtains and refreshes tokens during the scan. |
| Basic Auth | Provide a username and password. The scanner sends these as a Base64-encoded Authorization header. |
| API Key | Provide the header name (for example, X-API-Key or Authorization) and the key value. The scanner includes this header in every request. |
Authentication Tips
- Use credentials with sufficient permissions to access all endpoints you want tested. A read-only API key will miss vulnerabilities in write operations. Keep in mind that credentials with rights to create data might mean that the scanner does so when fuzzing the API.
- If your API uses short-lived tokens, configure OAuth 2.0 so the scanner can refresh tokens automatically.
- Test your credentials manually before starting a scan to confirm they work as expected.
Scheduling
You can run API scans on demand or schedule them to run automatically.
On-Demand Scans
Click Start Scan on any scan profile to run an immediate scan. This is useful for one-time assessments or testing after a specific deployment.
Scheduled Scans
To enable scheduled scanning:
- Open the scan profile you want to schedule.
- Toggle Scheduled Scanning on.
Scheduled scans run automatically every 3 days and benefit from payload rotation, where each run tests different payload variations, expanding coverage over time.
Rate Limiting
Rate limiting controls how many requests per second the scanner sends to your API. You configure the rate limit when creating a scan profile or by editing an existing profile.
Setting the rate limit too low extends scan duration. Setting it too high may affect your API’s performance or trigger defensive measures.
Scan Duration
Scan duration depends on several factors:
| Factor | Impact |
|---|---|
| Number of endpoints | More endpoints means more payloads to send |
| Rate limiting | Lower limits extend scan time |
| API response time | Slow APIs take longer to scan |
| Payload depth | More thorough testing takes more time |
Typical scans complete in 5 to 30+ minutes. Large APIs with hundreds of endpoints and strict rate limits may take longer.
Scan Scope
By default, every endpoint in your OpenAPI spec is included in the scan. You can narrow the scope by:
- Excluding specific paths or operations
- Limiting the scan to specific HTTP methods
- Focusing on endpoints that have changed since the last scan