Skip to main content

Token authentication

Use Token when your target is an API (or an API-backed SPA) that accepts a static credential in the Authorization header — Bearer token, JWT, opaque API key.

Token authentication

When to use

  • REST / GraphQL APIs protected by Authorization: Bearer ….
  • Service-to-service endpoints using a long-lived API key.
  • A SPA where you can grab the token from DevTools and reuse it for the scan's lifetime.

What you'll need

  • A valid token for a dedicated scan account.
  • Confirmation the token won't expire mid-scan (scans can run for 30+ minutes; short-lived JWTs may need a longer-lived refresh-issued token).

Dashboard

  1. In Create Scan → Step 2, pick Token.
  2. Paste the full token value.
  3. Click Next.

The scanner sends the token on every request as Authorization: Bearer <token>. If your token already carries a scheme prefix (Token …, ApiKey …), include the prefix in the value and the scanner will use it verbatim.

CLI

shadownet scan https://api.example.com \
  --auth token \
  --token "$SCAN_TOKEN"

levo-dast.yml

auth:
  strategy: "token"
  # token → --token flag or SCAN_TOKEN env var, NOT YAML
  headers:
    - "X-Scan-Source: shadownet"
Tokens are secrets

Never commit a token to git or paste it into levo-dast.yml. The YAML loader rejects a literal token: key with a clear error — pass --token or set SCAN_TOKEN.

Non-Bearer API keys (X-Api-Key, custom headers, local storage)

If your API expects the credential somewhere other than Authorization — a custom header like X-Api-Key, a cookie, or a localStorage entry the SPA reads on boot — use Pre-Auth Headers, Pre-Auth Cookies, or Local Storage on the auth step. These attach to every request / session regardless of which auth strategy you pick, including alongside Token.

auth:
  strategy: "none"
  headers:
    - "X-Api-Key: ${SCAN_API_KEY}"

For SPAs that rely on localStorage (e.g., a JWT stashed under auth_token), provide a base64-encoded JSON blob via --local-storage-b64 / SCAN_LOCAL_STORAGE_B64; the scanner seeds it before the first request.

Verifying the token worked

  • Scan detail page shows Auth: ok with the header mask.
  • If you see 401s in the scan log, the token is wrong, expired, or missing a prefix.
  • If you see 403s, the token is valid but the scan account lacks permission for the endpoint under test — grant the role or exclude those paths.

Next

Was this page helpful?