Authentication Overview
In Create Scan β Step 2, you first choose whether the scan is Unauthenticated (crawl only the publicly reachable pages) or Authenticated (provide credentials so the scanner can reach pages behind login). When you pick Authenticated, the scanner shows four authentication methods β pick the one that matches how your app expects callers to prove who they are.
Decision treeβ
| If your app is⦠| Use | Why |
|---|---|---|
| Public, no login (marketing site, open API) | Unauthenticated Scan | Nothing to authenticate β scan the whole public surface. |
| An API that accepts a Bearer/JWT/API key header | Token Based | The scanner attaches one header to every request. |
| A web app with a username + password form | Username and password | The scanner logs in once, captures the session, and replays it. |
| You already have a logged-in browser session you want to hand to the scanner | Browser session | Reuse an existing authenticated session β no credentials given to the scanner. |
| Complex, multi-step, or you don't want to encode selectors | AI-assisted login | An LLM navigates the login flow for you. |
Public apps and open APIs β no login required.
Bearer tokens, JWTs, API keys.
HTML login forms.
Reuse an existing logged-in session β dashboard-only.
LLM-guided login discovery.
Dashboard vs CLI vs YAMLβ
The same methods exist everywhere. The dashboard label is the user-facing card name; the CLI and YAML names are the underlying strategy keys.
| Method | Dashboard (Step 2) | CLI flag | levo-dast.yml (auth.strategy) |
|---|---|---|---|
| Unauthenticated | Unauthenticated Scan card | --auth none | none |
| Token | Token Based card | --auth token --token $TOKEN | token |
| Form login | Username and password card | --auth form --username β¦ --password β¦ --login-url β¦ | form |
| Browser session | Browser session card | --auth-session-file ./session.json (or SHADOWNET_AUTH_SESSION_FILE) | β (use the env var) |
| AI-assisted | AI-assisted login card | --auth ai | ai |
The dashboard also exposes a "Login URL is the same as target URL" checkbox under Username and password β convenient when the login form is on the same URL you're scanning.
Pre-Auth values β shared across methodsβ
Three fields on the Authentication step apply regardless of which method you pick. Use them when your app needs state in place before the login request is sent:
- Pre-Auth Cookies β CSRF tokens, tenant selectors, feature flags read by the login page.
- Pre-Auth Headers β tenant headers (
X-Tenant-Id), API gateway tokens,Accept-Language. - Local Storage Items / Local Storage Items (Base64) β SPA bootstrap data read on first load, or base64-encoded blobs.
Passwords, bearer tokens, raw cookie values, and API keys always come from a CLI flag or environment variable β never the YAML file. See the secrets policy.
Picking a test accountβ
- Create a dedicated scan account in each environment β don't reuse a developer's account.
- Give it the same role as a normal user (not admin) unless you want admin-only paths tested.
- Expect the scan to submit forms, trigger emails, and change state. Keep it off production where possible β see Scanning production safely.
Nextβ
- Unauthenticated Scan β simplest, start here if you don't have a login.
- Token Based β one header, one scan.
- Username and password β the most common case.
- Browser session β paste an existing logged-in session.
- AI-assisted login β when the flow is too complex to script.