# Authenticated Scanning for Front-End Apps This guide will walk you through the steps to set up authenticated domain scanning in Aikido, ensuring thorough and secure assessments. > This feature is not available on **Free** Plans. ### Use Cases * Ensure comprehensive security assessments for protected areas of your website. * Identify vulnerabilities in authenticated sections of your domain. ### Setting up authentication on a domain **Step 1:** Go to the [Domains Overview](https://app.aikido.dev/settings/domains) and open the action menu for a domain of your choice by clicking the triple dots. Select **Authenticate Domain.** ![Domain action menu with options to scan, configure, authenticate, or delete a domain.](https://3149773201-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyKbzcQGrx7UtrG0nPZZ7%2Fuploads%2Fgit-blob-9ff2baa9d095aebbc8b00e3d581e5320c1bcd0e6%2Fucarecdn-73e3a4bd-4171-4010-a569-83aadd2f0994.png?alt=media) **Step 2:** Fill in the URL and email/password for the domain authentication. Click **Test** to let Aikido check whether it can access the domain with those credentials. ![Form-based authentication setup for domain with login credentials and confirmation options.](https://3149773201-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyKbzcQGrx7UtrG0nPZZ7%2Fuploads%2Fgit-blob-782f1f590fa33a5bb7b56b55b0f2bea870ba2191%2Fucarecdn-b335a98b-6c66-48a8-8507-96fc7da88beb.png?alt=media) **Step 3.** Once the test has been succeeded, you can **Confirm Authentication.** Aikido will do a thorough scan and all results will appear in Aikido. > Scan credentials are securely stored using PKCS1 encryption ## Authentication Options Fill in the URL and email/password for the domain authentication. Click **Test** to let Aikido check whether it can access the domain with those credentials. You can also enter the one time password information if two factor authentication is enabled. For [more information about the OTP URL and how it works, see the documentation](https://help.aikido.dev/dast-surface-monitoring/using-2fa-in-front-end-and-api-scans). {% hint style="success" %} * Microsoft / Google SSO is currently **not** supported. As a workaround, you can manually authenticate and pass a valid session using the Cookie header via custom headers. * Is your case not supported? Let us know via the chat and we will look into it! {% endhint %} ![Domain authentication setup screen for form-based login credentials configuration.](https://3149773201-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyKbzcQGrx7UtrG0nPZZ7%2Fuploads%2FXdd1QcwDQOlanD6JOlJo%2FScreenshot%202026-01-09%20at%2014.16.32.png?alt=media\&token=161c5608-0dfa-485c-8306-1ba24e1ba6cd) Aikido will attempt to submit the form using the following rules: 1. Find a visible button or input field with `type=submit` while ignoring popular OAuth options like Google and Facebook 2. Find button based on the label or text. Looks for text equal or similar to: login, log in, submit, sign in, .. It does so in multiple languages. 3. Find button based on set of HTML ID's, for example `id=form-submit` 4. Find first visible button on page If your endpoints accepts a fixed key, cookie or token which should not change after creation, you can add it as a custom header via this option. Use-cases: * Cookies: Set the `Cookie` header. ``` Cookie: sessionId=38afes7a8 ``` * JWT Bearer token: Set the `Authorization` header ``` Authorization: Bearer ``` The AI Agent uses an LLM to control a real browser session. It follows the instructions you provide to complete the authentication process, just like a human would. This works well for: * Form based logins * Static OTP or one time codes * Multi step authentication flows * Custom or non standard login screens
Provide clear step by step instructions, including credentials and any required actions. The agent can handle redirects, dynamic pages, and intermediate steps without needing detailed configuration. In most cases, short and simple instructions are enough. ### Troubleshooting Authentication Issues #### Login via form Aikido scanner will use a fixed set identifiers to determine the username and password fields. Check that your input fields `id` or `name` parameters have one of the following values for the email or username field. ```javascript "email", "username", "Username", "login-email", "EmailOrUsername", "UserNameOrEmail", "username_login", "txtUsername", "user_email", "email-input' ``` Password field are found by looking for input fields with password type. ``` input[type="password"] ``` Submit buttons are found by looking for buttons or input fields with type submit. ``` button[type="submit"] input[type="submit"] ``` If you still encounter problems, please don't hesitate to reach out to support. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.aikido.dev/dast-surface-monitoring/front-end-scanning/authenticated-scanning-for-front-end-apps.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.