Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In addition to the baseline, always-on API scanning, Data Theorem can scan restful APIs requiring authenticationperform authenticated scans against APIs.

To enable this capability, you need to provide Data Theorem with authentication credentials that will be used to perform more in-depth authenticated scans of you APIs. The guide below describes how to send API credentials to Data Theorem.

Sending

...

API Credentials to Data Theorem

To enable authenticated scans for an API:

  1. Create a dedicated Data Theorem user or API key that can authenticate to the API to scan.

    1. Data Theorem recommends following the least privilege security principle when creating API credentials; consider granting it read-only access to the areas necessary for Data Theorem to perform API scans.

  2. Create CURL command(s) to test the credentials, by calling one of the API endpoints and verifying that it returned a successful response.

  3. Email to support@datatheorem.com the following information:

    1. Name and URL to the API.

    2. Type of authentication flow, as described in the next section.

    3. CURL command(s) that can be used to complete an authenticated request. The commands should contain the API credentials that Data Theorem will use.

Supported API Authentication Types

Data Theorem currently supports 4 types of authentication for API scans:

...

Please contact support@datatheorem.com if your authentication mechanism is not one of the above types.

Authenticating via Authorization Header

API requests are authenticated by passing a token within the Authorization header. For example:

curl "https://example.com?id=123" -H "Authorization: Bearer 123456

Authenticating via Query Parameter

API requests are authenticated by passing a token within a query parameter. For example:

curl "https://example.com?apikey=123456"

Authenticating via OAuth Client Credential Flow

API requests are authenticated by:

...

  1. OAuth flow and token creation:
    curl -X 'POST' "https://example.com/login" -d 'id=123&client_secret=123456&grant_type=client_credentials'

  2. API call using the received OAuth token:
    curl "https://example.com?id=123" -H "Authorization: Bearer 123456

Authenticating via Custom Authentication Flow

Data Theorem supports custom authentication flows that happen in two steps:

  1. Sending a request to create an authentication token.

  2. Supplying the authentication token when making API calls.

Please provide sample CURL commands demonstrating your custom authentication flow using. For example:

  1. Token creation:
    curl -X 'POST' "https://example.com/login" -d 'id=123&client_secret=12345&grant_type=client_credentials'

  2. API call using received the generated token:
    curl "https://example.com?id=123" -H "Authorization: Bearer 67890

...