AnsweredAssumed Answered

Authenticating REST via an API call

Question asked by Don Faulkner on Aug 9, 2018
Latest reply on Aug 13, 2018 by Busby

Is it possible to build an API-based authentication step into the testing of REST APIs?


I'm testing a REST API that includes an authentication action. The swagger file has a specific JSON model that needs to be passed in: the usual userid/password, plus a couple of other true/false flags. Successful authentication returns a session value in a custom header that needs to be captured and used in all subsequent API calls (just replay the header).


I can do the authentication manually, then edit the application definition to include the custom header, but it would be much easier if I could invoke the authentication API path with stored credential values. 


  1. Can I capture a response header and include it as a custom header for the remainder of the test?
  2. Can I define an authentication mechanism that will work with this REST authentication scheme?
  3. If I can't do this, does this prevent the use of a swagger file for the test?
  4. If I have a custom header captured in a burp log, will a custom header specified in the application definition override its value?