In addition to the baseline, always-on API scanning, Data Theorem can scan restful APIs requiring authenticationperform authenticated scans against APIs.
To enable this capability, you need to provide Data Theorem with authentication credentials that will be used to perform more in-depth authenticated scans of you APIs. The guide below describes how to send API credentials to Data Theorem.toc
Sending
...
API Credentials to Data Theorem
To enable authenticated scans for an API:
Create a dedicated Data Theorem user or API key that can authenticate to the API to scan.
Data Theorem recommends following the least privilege security principle when creating API credentials; consider granting it read-only access to the areas necessary for Data Theorem to perform API scans.
Create CURL command(s) to test the credentials, by calling one of the API endpoints and verifying that it returned a successful response.
Email to support@datatheorem.com the following information:
Name and URL to the API.
Type of authentication flow, as described in the next section.
CURL command(s) that can be used to complete an authenticated request. The commands should contain the API credentials that Data Theorem will use.
Supported API Authentication Types
Data Theorem currently supports 4 types of authentication for API scans:
...
Please contact support@datatheorem.com if your authentication mechanism is not one of the above types.
Authenticating via Authorization Header
API requests are authenticated by passing a token within the Authorization
header. For example:
curl "https://example.com?id=123" -H "Authorization: Bearer 123456
Authenticating via Query Parameter
API requests are authenticated by passing a token within a query parameter. For example:
curl "https://example.com?apikey=123456"
Authenticating via OAuth Client Credential Flow
API requests are authenticated by:
...
OAuth flow and token creation:
curl -X 'POST' "https://example.com/login" -d 'id=123&client_secret=123456&grant_type=client_credentials'
API call using the received OAuth token:
curl "https://example.com?id=123" -H "Authorization: Bearer 123456
Authenticating via Custom Authentication Flow
Data Theorem supports custom authentication flows that happen in two steps:
Sending a request to create an authentication token.
Supplying the authentication token when making API calls.
Please provide sample CURL commands demonstrating your custom authentication flow using. For example:
Token creation:
curl -X 'POST' "https://example.com/login" -d 'id=123&client_secret=12345&grant_type=client_credentials'
API call using received the generated token:
curl "https://example.com?id=123" -H "Authorization: Bearer 67890
...