Set Up JSON Recording for Auth Tokens
Akto allows you to use Chrome Recordings to extract and reuse authentication data like tokens or cookies during API testing. This guide walks you through recording creation, upload, extraction, and configuration.

1. How to Create Chrome Recording
To extract auth tokens or cookies from API calls:
Open Chrome DevTools (
Cmd + Option + I
on Mac orCtrl + Shift + I
on Windows/Linux).Navigate to the Recorder tab (enable from Chrome Experiments if hidden).
Click "Start a New Recording" and name the session.
Perform your complete login flow, ensuring any request with
access_token
, session cookies, orauth_token
is triggered.Stop the recording.
Click the download icon and select “Export as JSON”.

2. How to Upload Chrome Recording
Go to Akto Dashboard > Testing > Test Roles.
Paste a Token Fetch Command to extract the token or cookie (see below).
Click Upload JSON Recording.
Akto will extract and verify the token/cookie within a couple of minutes.
3. Add Timeouts of 40 Seconds
Keep in mind:
Chrome recording session (especially login flow) should complete in under 40 seconds.
Token fetch command execution is limited to 40 seconds in Akto.
If extraction or upload takes longer, the process will fail.
4. Intercept and Locate Auth Tokens / Cookies
During recording, inspect the following sources in DevTools:
Auth Tokens: Look in response bodies for keys like
access_token
,auth_token
,id_token
.Cookies: Look under response headers (
Set-Cookie
) or browser storage (localStorage
,sessionStorage
).
Knowing where your token is returned helps when writing the Token Fetch Command.
5. How to Write Command to Extract cookieMap or Auth Token
Paste the appropriate JavaScript command into the Token Fetch Command field in Akto.
✅ To extract all cookies as a header:
Object.entries(cookieMap).map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join('; ')
✅ To extract an auth token from localStorage:
"Bearer " + JSON.parse(Object.values(window.localStorage).find(x => x.indexOf("access_token") > -1)).body.access_token

6. How to Use the "Extract" Section
After the token is fetched, define how Akto should use it for authentication.
Scroll to the Extract section.
Choose the source:
Header
— to send the token in a request header (e.g.,Authorization
)Body
— if the token must be sent in the request body
Specify:
Key: e.g.,
Authorization
Value: Reference the token using
${x1.response.body.token}
or your specific token path.
Example:
Header
Authorization
${x1.response.body.token}
This lets Akto inject the token into future requests dynamically.
Get Support for your Akto setup
There are multiple ways to request support from Akto. We are 24X7 available on the following:
In-app
intercom
support. Message us with your query on intercom in Akto dashboard and someone will reply.Join our discord channel for community support.
Contact
[email protected]
for email support.
Last updated
Was this helpful?