Enterprise Edition
Configuring API authentication
-
Last updated: February 6, 2025
-
Read time: 3 Minutes
You can configure endpoint authentication for API scans. This enables Burp Suite Enterprise Edition to access authenticated endpoints, increasing your scanning coverage.
Burp Suite Enterprise Edition supports the following authentication:
- Basic - Enter a username and password.
- Bearer Token - Adds an access token that's sent in the authorization header.
- API Key / Custom token - Adds an API key or access token in a custom location.
You can also use dynamic tokens. These tokens have a limited lifespan. Burp Suite Enterprise Edition enables you to fetch refreshed tokens automatically.
Note
For security reasons, API definitions should include authentication schemes but not the associated credentials. For example, a definition can define that a particular API key is needed, but it must not provide the API key.
This means that you need to add credentials for any detected schemes manually. Schemes that have been detected but not yet populated with credentials have a red notification dot next to them. To add a credential to a scheme, click its pencil icon.
Adding basic authentication
To add basic authentication:
- Select the Authentication tab.
- Click Add API credentials to display the Add Authentication dialog.
- Select Basic.
- Enter the Label, Username, and Password.
- Click Save.
Adding Bearer token authentication
To add Bearer token authentication:
- Select the Authentication tab.
- Click Add API authentication to display the Add Authentication dialog.
- Select Bearer token.
-
For Fixed tokens:
- Set the Token type to Fixed.
- Enter the Label and Token.
- Click Save.
-
For Dynamic tokens:
- Set the Token type to Dynamic.
- Enter a Label for the token.
- Enter the Authentication service URL and Method for the request to retrieve the token.
- If necessary, expand Additional headers and enter the Name and Value for each header. Click to add more headers.
- In the Body field, if necessary, enter the body of the request.
- Enter a value for how often the token should be refreshed in the Re-fetch every field.
- In the Token location field, enter the location in the response body where the token will be located.
- Click Save.
Adding API key / custom token authentication
To add credentials for an API key, or add a token in a custom location:
- Select the Authentication tab.
- Click Add API authentication to display the Add Authentication dialog.
- Select API key / Custom token.
-
For Fixed tokens:
- Set the Token type to Fixed.
- Enter the Label, Location, and Key / token.
- Click Save.
-
For Dynamic tokens:
- Set the Token type to Dynamic.
- Enter a Label for the token, and choose a location from the Add to drop-down list.
- Enter the Authentication service URL and Method for the request to retrieve the token.
- If necessary, expand Additional headers and enter the Name and Value for each header. Click to add more headers.
- In the Body field, if necessary, enter the body of the request.
- Enter a value for how often the token should be refreshed in the Re-fetch every field.
- In the Token location field, enter the location in the response body where the token will be located.
- Click Save.
Editing or deleting authentication methods
To edit an existing authentication method, click its pencil icon.
To delete an existing authentication method, click its trash icon.
Note
In order to modify authentication details for an API site after the site has been saved, you need Edit site application logins permission. This includes changing the specification upload method between a URL and a local file. Note that admin users have this permission by default.
If you have View site application logins permission but not Edit site application login details permission, you can see details of the authentication methods used in the specification and their credentials. However, you can't edit any of them, add new authentication, amend the selection of endpoints to scan, or change the API definition file or URL.
Related pages
- Managing scheduled scans - explains how to schedule scans for your new site.
- Defining scan configuration for a site - explains how to create and work with scan configurations.
- Configuring site settings - explains the optional scan settings you can configure for a site.
- Configuring your environment network and firewall settings.
- Burp Scanner built-in configurations - reference information on Burp Scanner's built-in scan configurations.