search
Book a demo

Create a Test Role

Easily establish custom test roles to streamline API testing processes and enhance security protocols

hashtag
Overview

If you use role-based access control in your APIs and applications, you should check for privilege escalation issues. This often entails determining if a lower-privilege user has access to all higher-privilege APIs. If such an API exists, the development team should fix its privileges.

Akto lets you automate privilege escalation security tests. The information can also be used to create custom tests using Test YAML templates.

You should define as many roles as there are in your application. For example, if you're running a B2B SaaS program, you might have ADMIN, BILLING, MEMBER, and GUEST. Role creation is a one-time configuration.

In the demonstration below, let's create a Test Role and specify the role endpoint conditions.

hashtag
Create a Test Role

Go to Testing > Test Roles. Click on the Create New Test Role button. Enter the details for the new test role, including the name and specific role endpoint conditions.

Create a Test Role

In the above demonstration, we created a test role with the condition that it “Belongs to” the "juice_shop_demo" API collection. We chose to apply this role to the endpoints rest/basket/6 and rest/languages. This setup allows us to simulate and verify the behavior of these endpoints under the defined role's permissions.\

hashtag
Adding Auth token for Role

There are multiple ways you can Auth token with in Akto:

circle-check

You can configure multiple authentication methods within a single Test Role.

And using Advanced Settings, you can control exactly which token should be applied to which API requests.

hashtag
1. Hard-coded Auth token

You can add a hard-coded auth token using the following steps -

1

Click on a particular Test Roles.

2

Click on Add Auth button.

3

Under the hard coded section, enter the auth header key and the auth header value (eg. Authorization and Bearer some.auth.token)

4

Click on Save button and verify that the auth is created.

circle-info

hashtag
Note

If you want to use the auth token only for a specific account, you can add API Header condition.

For example, X-Account-Id: 10000 would mean the the auth token will be used only if the API request has X-Account-Id: 10000 in its headers.

hashtag
2. Use Tokens from Traffic

Akto allows you to automatically use authentication tokens observed in your API traffic. This is useful when valid tokens are already present in captured traffic and you want to reuse them for testing without manually configuring or generating new ones.

To use tokens from traffic, follow these steps:

1

Go to Test Roles and create or edit a Test Role.

2

Click on Add Auth.

3

Select From traffic.

4

Under Use tokens from traffic, configure the following:

  • Location (Header / Query / Body) Select where the token is expected in the request. In most cases, this will be Header.

  • Key Enter the name of the parameter that contains the token. Example: Authorization

  • Value (Optional) Specify a value pattern if you want to filter tokens. Example: Bearer .* This ensures only tokens matching the defined pattern are used.

5

You can click the + icon to add multiple token extraction rules if required.

6

Click Save to apply the configuration.

Once configured, Akto will automatically pick matching tokens from observed traffic and use them during test execution.

hashtag
3. Automated Auth token generation

For one-time testing or a quick tryout, you might need to manually add an auth token, because the token expires quickly, within a day. This means you can only use it occasionally for testing. Instead, you can set Akto to automatically fetch a fresh auth token to ensure that tests are always up-to-date before each test run. This way, Akto uses a new token for every test, ensuring the tests are always valid.

To add an auth token automatically while performing API testing, you need to follow these steps:

1

Configure API Call Details

Configuring API call details ensures that the server knows how to process the request and can generate and return a new auth token. This is key for keeping tests current and valid, as it allows the system to automatically get a fresh token before each test run.

In the demonstration, we're setting up the details for an API call, including the URL, method, headers, and body, to ensure the request is correctly configured and can successfully obtain the token.

2

Execute the API Call

After configuring the details, execute the API call. If successful, the server will respond with an auth token.

In the demonstration below, we make an API call and receive an authentication token from the server.

3

Extract Token

After testing the API call, you need to extract the auth token from the response. This typically involves identifying the header or body parameter where the token is located. For example, if the token is returned in a header named Authorization, you would extract it.

In the demonstration below, we extract the auth token from the response. This token can then be used for subsequent API calls that require authentication.

Once you have extracted the token, Akto will automatically use it for subsequent API calls in your tests.

Akto will now execute this entire API sequence before running a test to fetch a fresh auth token. You can now execute all the daily tests and CI/CD tests without worrying about the expiry of the hard-coded token.

hashtag
4. TLS Authentication

You can add TLS authentication configuration to any role using the following steps:

1

Create a test role. Click on the test role and click on Add auth.

2

Click on TLS Authentication to reveal the configuration inputs.

3

For PEM certificate type:

  1. Input the client certificate

2. Input the client private key

3. Input the certificate authority certificate (optional, leave the input blank if you do not have one)

4

Click on Save

circle-exclamation

hashtag
Notes

  1. Please enter the keys only in the format shown in the images. Do not enter any additional details.

  2. If you have a P12 type key you can convert it to a PEM key using the commands given below. Here client.p12 is your original key, client.crt is the client certificate and client.key is the client private key. While running these commands, you may be asked for an Import Password. You can leave that blank.

circle-info

You can now limit visibility of a Test Role using RBAC. Use the "Scope Role" dropdown while creating or editing a Test Role. For details, see Restrict Access to a Test Role Using RBAC.

hashtag
5. Digest Authentication

Digest Authentication allows API Security Testing to authenticate with APIs that require HTTP digest-based authentication. Digest authentication uses a challenge-response mechanism where credentials are hashed before transmission, preventing passwords from being sent in plain text.

hashtag
How Digest Authentication Works

  1. The client sends an initial request to the server without credentials.

  2. The server responds with 401 Unauthorised and returns a challenge containing parameters such as nonce and realm.

  3. The client computes a digest hash using the username, password, and challenge parameters.

  4. The client sends the request again with the computed digest in the Authorisation header.

  5. API Security Testing automatically performs the digest authentication flow for each test request.

hashtag
Setup Guide

1

Navigate to API Security Testing → Test Roles.

2

Click Add Authentication and select Digest Authentication.

3

Enter the required configuration details:

Field
Description

Username

Username represents the identity used during digest authentication.

Password

Password participates in the digest hash computation and is not transmitted in plain text.

Target URL

Target URL represents the endpoint that returns the digest authentication challenge.

HTTP Method

HTTP method defines the request method used for the initial challenge request. Default value is GET.

Algorithm

Algorithm defines the hashing algorithm used for digest computation. Supported algorithms include SHA-256 and MD5.

4

Click Save to store the authentication configuration.

hashtag
Advance Settings

hashtag
API Header Conditions

Advanced Settings allow you to control which authentication configuration is applied to which API request when multiple auth methods are configured within the same Test Role.

Since a Test Role can have multiple auth setups (Hard-coded token, Automated token, TLS Authentication, Tokens from Traffic, etc.), Advanced Settings help Akto determine which token should be used for a specific request.

circle-info

hashtag
Use case

  • The same role is used across multiple accounts.

  • You want to apply an auth token only for specific tenants.

  • You need fine-grained control over which endpoints use a particular authentication setup.

hashtag
Configure API Header Conditions

Follow these steps to configure API Header Conditions:

1

While creating or editing a Test Role, navigate to Advanced Settings.

2

  • Enter the following details:

    • Header key Specify the request header name. Example: X-Account-Id

    • Header value Specify the expected value of the header. Example: 10000

    • URL path regex Provide a regular expression to match specific API paths. Example: /api/v1/.* This ensures the condition applies only to endpoints matching the defined pattern.

      Leave this empty to skip path matching.

3

Click on Save to apply the configuration.

circle-exclamation

hashtag
Important Behaviour

  • Advanced Settings act as conditional routing for auth configurations.

  • An auth configuration without Advanced Settings behaves as a fallback/default.

  • This enables fine-grained authentication control within a single Test Role.

  • You can combine different auth types (Hard-coded, Automated, TLS, From Traffic) and control exactly when each one should apply.

hashtag
Auth Selection Flow

A Test Role can have multiple authentication methods configured simultaneously. Akto determines which token to use at runtime based on Advanced Settings.

hashtag
Execution Flow

When the Test Role runs on a collection:

  1. For each API request, Akto evaluates all configured auth setups.

  2. If a request matches the Advanced Settings of a specific auth configuration:

    • That auth configuration is applied.

  3. If multiple auth configurations exist:

    • The one whose conditions match the request is used.

  4. If no Advanced Settings match:

    • The auth configuration without any Advanced Settings acts as the default.

circle-exclamation

hashtag
Important

If multiple auth configurations match the same request (for example, they have the same regex), Akto uses the first configured or first discovered token during evaluation.

The order of configuration in UI determines which token gets applied.

circle-check

hashtag
Example Scenario

A Test Role has two auth configurations:

  1. Hard-coded token

    • Advanced Setting: URL path regex = .*v1.*

  2. Automated Auth token

    • No Advanced Settings configured

Based on the Example

  • For APIs whose path matches .*v1.* → The Hard-coded token (with Advanced Settings) is used.

  • For APIs that do not match the regex → The Automated Auth token (without Advanced Settings) is used by default.

hashtag
Get Support for your Akto setup

There are multiple ways to request support from Akto. We are 24X7 available on the following:

  1. In-app intercom support. Message us with your query on intercom in Akto dashboard and someone will reply.

  2. Join our discord channelarrow-up-right for community support.

  3. Contact [email protected]envelope for email support.

  4. Contact us herearrow-up-right.

PreviousConfigure Pre-request ScriptNextSet Up JSON Recording for Auth Tokens

Last updated