Reference
Authentication Methods
Supported credential types for authenticated penetration testing.
CodeWall supports the following credential types when configuring an Authenticated (Gray Box) test.
Bearer Token
| Feature | Details |
|---|---|
| Use case | APIs and SPAs using token-based auth |
| How it works | Token sent as Authorization: Bearer <token> on every request |
| Supports | JWTs, opaque tokens, API access tokens |
| When to use | Your API or app uses Bearer tokens for auth |
Basic Auth
| Feature | Details |
|---|---|
| Use case | Applications using username/password authentication |
| How it works | Credentials encoded as Authorization: Basic <base64> |
| Supports | Username + password pairs |
| When to use | Internal tools, legacy apps, or APIs with basic auth |
Custom Headers
| Feature | Details |
|---|---|
| Use case | Non-standard authentication or additional context headers |
| How it works | One or more custom key-value headers sent with every request |
| Supports | Any header name and value |
| When to use | API keys (X-API-Key), tenant IDs (X-Tenant-ID), or other custom auth |
Combining credential types
You can add multiple credentials to a single test. For example:
- A Bearer token for authentication and a custom header for tenant identification
- Multiple tokens for testing privilege escalation between user roles