Skip to main content

Documentation Index

Fetch the complete documentation index at: https://apyguard.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Authentication configuration allows ApyGuard to test protected endpoints using the same access patterns your applications, users, and integrations rely on.

Supported methods

Predefined Token

Use an existing token such as an API key or bearer token.

Login URL

Use a login endpoint to authenticate dynamically and retrieve tokens during scanning.

OIDC

Use OpenID Connect metadata from the selected server to configure authentication.

OAuth2 Password

Use client credentials together with a username and password for supported password grant flows.

OAuth2 Client Credentials

Use machine-to-machine OAuth2 flows with client ID and client secret.

Authorization Matrix

Define role-based expectations for endpoint access behavior.

Configure authentication in ApyGuard

Authentication is configured from the authorization setting flow used during scan setup.
  1. Go to Start Scan → Authorization Settings.
  2. Create a new authorization setting or edit an existing one.
  3. Enter an Authorization Setting Name.
  4. Choose the authentication method that matches your API.
  5. Configure token behavior.
  6. Add or select the credentials needed for the chosen flow.
  7. Review any detected server metadata for OIDC or OAuth2.
  8. Save the authorization setting and use it in the scan.

What the authorization flow includes

Authentication method cards

ApyGuard lets users choose between Predefined Token, Login URL, OIDC, OAuth2 Password, and OAuth2 Client Credentials.

Token configuration

Users define token format and token location so ApyGuard knows how to place the authenticated value in requests.

Credential selection

The auth setting links to one or more saved credentials depending on the selected flow.

Server-aware detection

OIDC and OAuth2 methods can pull configuration details from the selected API server and let users review them before saving.

Token configuration in the UI

ApyGuard asks users to define:
  • Token Implementation Format
  • Token Location
The UI also offers quick token format examples such as:
  • Authorization: Bearer {TOKEN}
  • Authorization: Basic {TOKEN}
  • X-API-Key: {TOKEN}

Credential and server selection

Depending on the auth method, users may also need to:
  • Select one or more saved credentials
  • Select an API server
  • Choose a login endpoint
  • Map username and password parameters
  • Review detected provider metadata

When to choose each method

  • Predefined Token when you already have a valid token or API key
  • Login URL when the API issues tokens after a login request
  • OIDC when your provider exposes OpenID Connect discovery metadata
  • OAuth2 Password when your provider supports password grant
  • OAuth2 Client Credentials when a machine identity requests tokens directly

Next steps

OIDC

Configure OpenID Connect authentication using detected provider metadata.

Authentication Issues

Troubleshoot token, login, OIDC, and OAuth2 setup issues.