Authentication Configuration

NAT supports all common API authentication patterns. Providing valid credentials is critical — an unauthenticated scan will miss the majority of vulnerabilities that exist behind an auth boundary.

Authentication methods

Bearer Token (JWT / opaque)

nat scan --url https://api.example.com \
  --auth-type bearer \
  --token "eyJhbGciOiJSUzI1NiJ9..."

NAT adds Authorization: Bearer <token> to every request.

Using environment variables for credentials

Never hard-code secrets in command arguments. Use environment variables instead:

export NAT_TOKEN="eyJhbGciOiJSUzI1NiJ9..."
nat scan --url https://api.example.com --auth-type bearer --token "$NAT_TOKEN"

In CI/CD, store secrets in your provider's secret store:

# GitHub Actions
- uses: bg-playground/nat-action@v1
  with:
    api-url: https://api.example.com
    auth-type: bearer
    token: ${{ secrets.API_TOKEN }}

Saved credentials

In the dashboard or config file, you can save credential profiles for reuse:

# ~/.nat/config.yaml
credentials:
  my-api:
    auth_type: bearer
    token_env: MY_API_TOKEN  # NAT reads from this env var at scan time
  staging-oauth:
    auth_type: oauth2
    token_url: https://auth.example.com/oauth/token
    client_id: my-client
    client_secret_env: OAUTH_CLIENT_SECRET
    scope: "read write"

Then reference by name:

nat scan --url https://api.example.com --credentials my-api

Testing auth bypass

NAT tests authentication even with valid credentials — it probes for:

Unauthenticated access to authenticated endpoints
Horizontal privilege escalation (BOLA) — can User A access User B's resources?
Vertical privilege escalation — can a regular user call admin endpoints?
JWT weaknesses — algorithm confusion, none algorithm, expired token acceptance
Session fixation and token reuse

Provide at least two sets of credentials (e.g., two different user accounts) to enable full BOLA testing. Use --secondary-token for the second user's token.

nat scan --url https://api.example.com \
  --auth-type bearer \
  --token "$USER_A_TOKEN" \
  --secondary-token "$USER_B_TOKEN"

OAuth2 flows

Flow	`--oauth2-grant-type` value	Use case
Client Credentials	`client_credentials` (default)	Service-to-service, M2M
Password	`password`	Legacy systems with username/password
Authorization Code	`authorization_code`	User-delegated access (requires browser)

Troubleshooting auth issues

See Auth Issues troubleshooting for common problems and fixes, including:

401/403 responses during scan
OAuth2 token fetch failures
JWT validation errors

Next steps

OAuth2 Setup how-to — step-by-step OAuth2 configuration
REST API Testing — scanning REST APIs
Security Scanning — what NAT tests for

Dashboard REST API Testing