# Agent Creates New Account

Aikido's Pentest agents can create their own disposable test users for an assessment, based on natural-language instructions you provide. Instead of pre-creating accounts and sharing credentials, you describe how new users should be generated and the agent does the rest before the scan starts.

**Use this feature if:**

* You want **multi-role coverage** (e.g. `admin`, `editor`, `viewer`) without manually creating one account per role.
* Your application exposes a **signup form** or an **admin/user-creation API** the agent can call.
* You prefer **disposable accounts per assessment** so test data doesn't accumulate in your staging environment.

{% hint style="info" %}
This method works best on environments with a known **signup flow or admin API**. If your app has no programmatic way to create users, use one of the standard [authentication methods](/pentests/configure-a-pentest/setting-up-authenticated-testing.md) instead and create accounts manually.
{% endhint %}

### How it works

1. During the **preflight check**, the agent reads your **user creation instructions** and creates one or more accounts. It can use a signup form, a `curl`-style API call, or run a short script.
2. Aikido stores the resulting accounts as real test users, linked back to this generator. The original "Test user generator" entry is archived so it's not used for the scan itself.
3. A **second preflight** runs and signs in with each provisioned user using your **authentication instructions** (which reference `<generated_username>` and `<generated_password>` placeholders). Successful sessions are captured for the main pentest.
4. If preflight fails, the provisioned users are automatically rolled back and the generator is restored so you can edit your instructions and try again.

### Setup Guide

{% stepper %}
{% step %}
**Add a Test User**

In the assessment wizard, click **Add Test User** → **Custom** → **Agent Creates New Account**.

By default the credential set is named `Test user generator`. Rename it if you want — this label is just for your reference.

<div data-with-frame="true"><figure><img src="/files/sO8egXejO38VzlhSAVcV" alt="Add Test User menu showing Custom > Agent Creates New Account"><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}
**Describe How to Create Users**

In the **User creation instructions** field, explain — in natural language — how the agent should generate accounts. Be explicit about:

* **Where** to create users (a signup URL, or an admin endpoint).
* **What roles or variants** you want (e.g. one viewer, one editor, one admin).
* **Any required fields** like email, password, organization, or tenant.
* **Any tokens or admin credentials** the agent should use.

**Example using an admin API:**

```
Create new users through the API for the following roles:
- viewer
- editor
- admin

Use the following curl request:
curl -X POST https://staging.example.com/api/admin/users \
    -H "x-api-key: test-admin-key" \
    -H "Content-Type: application/json" \
    -d '{"email":"jane@example.com","password":"password","role":"editor"}'

Always create a unique email and a secure password.
```

**Example using a signup form:**

```
Create three new accounts via the signup form at https://staging.example.com/signup.

For each account:
1. Click "Sign up".
2. Enter a unique email and a strong password.
3. Submit the form and complete any onboarding screens.

Create one account per role (viewer, editor, admin) by selecting the matching plan during signup.
```

<div data-with-frame="true"><figure><img src="/files/piynLlaUWSi8w7iXmBxx" alt="Authentication Set modal with User creation and Authentication instructions"><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}
**Describe How to Log In**

In the **Authentication instructions** field, describe the **login flow** for the users the agent just created. Use the placeholders `<generated_username>` and `<generated_password>` — Aikido replaces them with the real credentials when it tests each provisioned user.

**Example:**

```
1. Navigate to https://staging.example.com/login
2. Enter username: <generated_username>
3. Enter password: <generated_password>
4. Click "Log In"

Success criteria: The login is successful and the dashboard is visible.
```

Keep the **success criteria** unambiguous — a visible string on the post-login page works well.
{% endstep %}

{% step %}
**Save & Test**

Click **Save & Test**. Preflight runs in two passes:

1. The agent provisions the accounts.
2. The agent signs in with each new account and captures a session.

If both pass, the generator is replaced by the real test users in the assessment configuration. You're ready to launch the scan.
{% endstep %}
{% endstepper %}

### Tips & Best Practices

* **Use a dedicated admin token** for the creation step — don't reuse a token tied to a real user.
* **Cover all roles** you care about so Aikido can test for Broken Access Control between privilege levels.
* **Be explicit about email uniqueness** — many apps reject duplicate signups silently. Ask the agent to generate a unique email per account.
* **Set a clear success criterion** in the login instructions. Vague criteria like "the page loads" can pass when the user is actually stuck on an onboarding screen.
* **Iterate freely.** If preflight fails, you can edit the instructions and click **Save & Test** again — previously provisioned users are archived automatically.

### Troubleshooting

* **User creation failed:** Check that the API or signup URL is reachable from [Aikido's IP range](/pentests/prepare-a-pentest/ip-addresses-for-pentest.md), and that any admin token in your instructions is still valid. Walk through your `curl` request or signup form manually to confirm the steps are correct.
* **Login fails in the second preflight:** Tighten the success criterion in your authentication instructions, or include any extra steps (email verification, onboarding modal, MFA) that appear for newly created accounts. If new users need to verify an email, combine this method with the [Email Verification flow](/pentests/configure-a-pentest/setting-up-authenticated-testing/handling-email-verification-and-magic-links.md).
* **Wrong roles assigned:** Be explicit in the creation instructions about which role each user should get. If your API picks a default role, override it in the request body.

### Need help?

Open the **Intercom chat** in the bottom right corner of the Aikido dashboard — our team can help you craft creation and login instructions that work for your stack.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.aikido.dev/pentests/configure-a-pentest/setting-up-authenticated-testing/agent-creates-new-account.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.