Target authentications
Adding a Target Authentication
To learn more about configuring authentications for your target, see this guide.
To add an authentication method to a target, use the following endpoint:
POST /v1/targets/{target_id}/authentications/Reaplce {target_id} with the ID of the target you wish to add an authentication to.
You can add different types of authentications and may need to supply arrays of objects for fields such as additional_parameters, headers, or cookies. These are used to provide extra data required for authentication, such as custom headers, form parameters, or session cookies.
Supplying arrays of objects (additional_parameters, headers, cookies)
additional_parameters, headers, cookies)Some authentication types require you to provide arrays of objects, for example:
additional_parameters: Extra form fields required for login.headers: Custom HTTP headers to include in authentication requests.cookies: Session cookies for authenticated access.
How to structure arrays for application/json content type requests
application/json content type requestsIn this case, arrays of objects (such as cookies, headers, or additional_parameters) are represented as JSON arrays of objects, each with name and value fields.
curl --request POST \
--url "https://api.intruder.io/v1/targets/$target_id/authentications/" \
--header 'content-type: application/json' \
--header 'accept: application/json' \
--header "authorization: Bearer $apiToken" \
--data '{
"url": "https://intruder.example.com/login",
"name": "My Authentication",
"type": "session_cookie",
"cookies": [
{"name": "sessionid", "value": "abc123"},
{"name": "csrftoken", "value": "def456"}
],
"headers": [
{"name": "X-Custom-Header", "value": "custom-value"}
]
}'- Arrays such as cookies and headers are provided as standard JSON arrays of objects.
- This format is often easier to construct and read when working with code or API clients that support JSON natively.
How to structure arrays from values for multipart/form-data content type requests
multipart/form-data content type requestsWhen using multipart/form-data, arrays of objects must be represented using indexed keys. This structure allows the API to correctly parse each array as a list of {name, value} pairs.
For each array, use the following pattern:
--form 'FIELDNAME[0]name=firstName' \
--form 'FIELDNAME[0]value=firstValue' \
--form 'FIELDNAME[1]name=secondName' \
--form 'FIELDNAME[1]value=secondValue'Replace FIELDNAME with additional_parameters, headers, or cookies as needed.
Example: Adding Cookies
--form 'cookies[0]name=sessionid' \
--form 'cookies[0]value=abc123' \
--form 'cookies[1]name=csrftoken' \
--form 'cookies[1]value=def456'Example: Adding Headers
--form 'headers[0]name=X-Custom-Header' \
--form 'headers[0]value=custom-value' \
--form 'headers[1]name=X-Special-Header' \
--form 'headers[1]value=special-value'Example: Adding Additional Parameters
--form 'additional_parameters[0]name=username' \
--form 'additional_parameters[0]value=myuser' \
--form 'additional_parameters[1]name=password' \
--form 'additional_parameters[1]value=mypassword'Full Example: Adding Authentication with Cookies and Headers (Form data)
curl --request POST \
--url "https://api.intruder.io/v1/targets/$target_id/authentications/" \
--header 'content-type: multipart/form-data' \
--header 'accept: application/json' \
--header "authorization: Bearer $apiToken" \
--form 'url=https://intruder.example.com/login' \
--form 'name=My Authentication' \
--form 'type=session_cookie' \
--form 'cookies[0]name=sessionid' \
--form 'cookies[0]value=abc123' \
--form 'headers[0]name=X-Custom-Header' \
--form 'headers[0]value=custom-value'Adding a recorded login authentication
For applications that require a more complex login flow, you can upload a recorded login file. This can be done in two ways: as a file upload or as a base64-encoded JSON string or as from data. See the sections below to understand how to format a request.
To learn more about how recorded logins work and how to create one, see this guide.
Uploading recorded login file with application/json content type and a base64-encoded JSON Recording
application/json content type and a base64-encoded JSON RecordingIf you prefer to send the recorded login as a base64-encoded JSON string (for example, when using application/json instead of multipart/form-data):
curl --request POST \\
--url "{settings.DOMAIN_NAME}/v1/targets/$targetid/authentications/" \
--header 'content-type: application/json' \
--header 'accept: application/json' \
--header "authorization: Bearer $apiToken" \
--data '{
"url": "https://intruder.example.com/login",
"name": "Recorded Login File Authentication",
"type": "recorded",
"recorded_login_file": "data:application/json;name=recording.json;base64,eyJmb28iOiJiYXIifQ==" // base64-encoded content of your recording.json
}'How to Construct the recorded_login_file Value
recorded_login_file ValueThe value for the recorded_login_file field must be a single string with the following structure:
data:application/json;name=FILENAME.json;base64,BASE64_CONTENT
data:application/json- The MIME type of your file. It should beapplication/jsonas that is the recording we accept.;name=FILENAME.json- The name of your file. ReplaceFILENAME.jsonwith your actual file name (e.g.,recording.json).;base64,- Indicates that the file content is base64-encoded.BASE64_CONTENT- The base64-encoded content of your JSON recording file.
If your file is named recording.json and its base64-encoded content is eyJmb28iOiJiYXIifQ==, your request would look like:
"recorded_login_file": "data:application/json;name=recording.json;base64,eyJmb28iOiJiYXIifQ=="Uploading a recorded login file with multipart/form-data content type
multipart/form-data content typecurl --request POST \
--url "https://api.intruder.io/v1/targets/$target_id/authentications/" \
--header 'content-type: multipart/form-data' \
--header 'accept: application/json' \
--header "authorization: Bearer $apiToken" \
--form 'url=https://intruder.example.com/login' \
--form 'name=Recorded Login File Authentication' \
--form 'type=recorded' \
--form '[email protected];type=application/json'[email protected];type=application/jsonuploads the file directly.
Updating a TargetAuthentication
PATCH /v1/targets/{target_id}/authentications/{id}/Replace {target_id} with the ID of your target, and {id} with the ID of the specific authentication you want to delete.
Important
When updating, you must include all
cookies,headers, andadditional_parameterskey-value pairs you want to be present after the update. Any values not included in the request will be removed from the authentication.
How to structure arrays for application/json content type requests
application/json content type requestscurl --request PATCH \
--url "https://api.intruder.io/v1/targets/$target_id/authentications/$id" \
--header 'content-type: application/json' \
--header 'accept: application/json' \
--header "authorization: Bearer $apiToken" \
--data '{
"url": "https://intruder.example.com/login",
"name": "My Authentication",
"type": "session_cookie",
"cookies": [
{"name": "sessionid", "value": "abc123"},
{"name": "csrftoken", "value": "def456"}
],
"headers": [
{"name": "X-Custom-Header", "value": "custom-value"}
]
}'How to structure arrays from values for multipart/form-data content type requests
multipart/form-data content type requestsMuch like creating a target authentication, updating a target authentication with content-type: multipart/form-data needs to be formatted a certain way to ensure the API understands and can process your request correctly.
When updating arrays of objects (such as cookies, headers, or additional_parameters), use indexed keys for each field, just as you would when creating:
curl --request PATCH \
--url "https://api.intruder.io/v1/targets/$target_id/authentications/$id" \
--header 'content-type: multipart/form-data' \
--header 'accept: application/json' \
--header "authorization: Bearer $apiToken" \
--form 'url=https://intruder.example.com/login' \
--form 'name=My Authentication' \
--form 'type=session_cookie' \
--form 'cookies[0]name=sessionid' \
--form 'cookies[0]value=abc123' \
--form 'cookies[1]name=csrftoken' \
--form 'cookies[1]value=def456' \
--form 'headers[0]name=X-Custom-Header' \
--form 'headers[0]value=custom-value'- Use
FIELDNAME[index]nameandFIELDNAME[index]valuefor each object in the array (e.g.,cookies[0]name,cookies[0]value). - This structure ensures the API can correctly parse and update the array fields.
Deleting an Authentication
To remove an existing authentication method from a target, send a DELETE request to the following endpoint:
DELETE /v1/targets/{target_id}/authentications/{id}/Replace {target_id} with the ID of your target, and {id} with the ID of the specific authentication you want to delete.
curl -X 'DELETE' \
--url "https://api.intruder.io/v1/targets/$target_id/authentications/$id/" \
--header 'accept: application/json' \
--header "authorization: Bearer $apiToken"If successful, the server will return a 204 No Content status, indicating that the authentication has been deleted.
Error Handling
- If your request is invalid, you will receive a
400 Bad Requestwith details about the validation errors. - If the target or authentication is not found, you will receive a
404 Not Found. - If there is a server error, you will receive a
500 Internal Server Error.
Tips
- Always ensure your
authorizationheader is set with a valid Bearer token. - Use the correct content-type for file uploads (
multipart/form-data) or JSON uploads (application/json). - For more details on the available authentication types and their parameters, refer to the API documentation.
Updated 3 days ago