API Secure: Enable Authenticated API Scans

Owned by Alban (Unlicensed)
Last updated: Jan 22, 2021
2 min read

In addition to the baseline, always-on API scanning, Data Theorem can perform authenticated scans against APIs.

To enable this capability, you need to provide Data Theorem with authentication credentials that will be used to perform authenticated scans of you APIs. The guide below describes how to send API credentials to Data Theorem.

Sending API Credentials to Data Theorem

To enable authenticated scans for an API:

  1. Create a dedicated Data Theorem user or API key that can authenticate to the API to scan.

    1. Data Theorem recommends following the least privilege security principle when creating API credentials; consider granting it read-only access to the areas necessary for Data Theorem to perform API scans.

  2. Create CURL command(s) to test the credentials, by calling one of the API endpoints and verifying that it returned a successful response.

  3. Email to support@datatheorem.com the following information:

    1. Name and URL to the API.

    2. Type of authentication flow, as described in the next section.

    3. CURL command(s) that can be used to complete an authenticated request. The commands should contain the API credentials that Data Theorem will use.

Supported API Authentication Types

Data Theorem currently supports 4 types of authentication for API scans:

  1. Supplying a token via the Authorization header.

  2. Supplying a token via a GET query parameter.

  3. Authenticating via a Client Credential OAuth flow.

  4. Authenticating via a custom authentication flow.

Please contact support@datatheorem.com if your authentication mechanism is not one of the above types.

Authenticating via Authorization Header

API requests are authenticated by passing a token within the Authorization header. For example:

curl "https://example.com?id=123" -H "Authorization: Bearer 123456

Authenticating via Query Parameter

API requests are authenticated by passing a token within a query parameter. For example:

curl "https://example.com?apikey=123456"

Authenticating via OAuth Client Credential Flow

API requests are authenticated by:

  1. First completing an OAuth flow of type “Client Credential” that doesn’t require to open a navigator to be completed.

  2. And then passing the OAuth token within API requests.

For example:

  1. OAuth flow and token creation:
    curl -X 'POST' "https://example.com/login" -d 'id=123&client_secret=123456&grant_type=client_credentials'

  2. API call using the received OAuth token:
    curl "https://example.com?id=123" -H "Authorization: Bearer 123456

Authenticating via Custom Authentication Flow

Data Theorem supports custom authentication flows that happen in two steps:

  1. Sending a request to create an authentication token.

  2. Supplying the authentication token when making API calls.

Please provide sample CURL commands demonstrating your custom authentication flow using. For example:

  1. Token creation:
    curl -X 'POST' "https://example.com/login" -d 'id=123&client_secret=12345&grant_type=client_credentials'

  2. API call using the generated token:
    curl "https://example.com?id=123" -H "Authorization: Bearer 67890