Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Data Theorem can scan restful APIs requiring authentication.

To enable this capability, you need to provide Data Theorem with authentication credentials that will be used to perform more in-depth scans of you APIs.

The guide below describes how to send API credentials to Data Theorem.

Sending API Credentials to Data Theorem

To enable authenticated scans for an API:

  1. Create a dedicated Data Theorem user or API key that can authenticate to the API to scan.

    1. Data Theorem recommends following the least privilege security principle when creating API credentials; consider granting it read-only access to the areas necessary for Data Theorem to perform API scans.

  2. Create CURL command(s) to test the credentials, by calling one of the API endpoints and verifying that it returned a successful response.

  3. Email to support@datatheorem.com the following information:

    1. Name and URL to the API.

    2. Type of authentication flow, as described in the next section.

    3. CURL command(s) that can be used to complete an authenticated request. The commands should contain the API credentials that Data Theorem will use.

Supported API Authentication Types

Data Theorem currently supports 4 types of authentication for API scans:

  1. Supplying a token via the Authorization header.

  2. Supplying a token via a GET query parameter.

  3. Authenticating via a Client Credential OAuth flow.

  4. Authenticating via a custom authentication flow.

Please contact support@datatheorem.com if your authentication mechanism is not one of the above types.

Authenticating via Authorization Header

API requests are authenticated by passing a token within the Authorization header. For example:

curl "https://example.com?id=123" -H "Authorization: Bearer 123456

Authenticating via Query Parameter

API requests are authenticated by passing a token within a query parameter. For example:

curl "https://example.com?apikey=123456"

Authenticating via OAuth Client Credential Flow

API requests are authenticated by:

  1. First completing an OAuth flow of type “Client Credential” that doesn’t require to open a navigator to be completed.

  2. And then passing the OAuth token within API requests.

For example:

  1. OAuth flow and token creation:
    curl -X 'POST' "https://example.com/login" -d 'id=123&client_secret=123456&grant_type=client_credentials'

  2. API call using the received OAuth token:
    curl "https://example.com?id=123" -H "Authorization: Bearer 123456

Authenticating via Custom Authentication Flow

Please provide sample CURL commands demonstrating your custom authentication flow using. For example:

  1. Token creation:
    curl -X 'POST' "https://example.com/login" -d 'id=123&client_secret=12345&grant_type=client_credentials'

  2. API call using received token:
    curl "https://example.com?id=123" -H "Authorization: Bearer 67890

  • No labels