Agent Creates New Account

Aikido's Pentest agents can create their own disposable test users for an assessment, based on natural-language instructions you provide. Instead of pre-creating accounts and sharing credentials, you describe how new users should be generated and the agent does the rest before the scan starts.

Use this feature if:

You want multi-role coverage (e.g. admin, editor, viewer) without manually creating one account per role.
Your application exposes a signup form or an admin/user-creation API the agent can call.
You prefer disposable accounts per assessment so test data doesn't accumulate in your staging environment.

This method works best on environments with a known signup flow or admin API. If your app has no programmatic way to create users, use one of the standard authentication methods instead and create accounts manually.

How it works

During the preflight check, the agent reads your user creation instructions and creates one or more accounts. It can use a signup form, a curl-style API call, or run a short script.
Aikido stores the resulting accounts as real test users, linked back to this generator. The original "Test user generator" entry is archived so it's not used for the scan itself.
A second preflight runs and signs in with each provisioned user using your authentication instructions (which reference <generated_username> and <generated_password> placeholders). Successful sessions are captured for the main pentest.
If preflight fails, the provisioned users are automatically rolled back and the generator is restored so you can edit your instructions and try again.

Setup Guide

Add a Test User

In the assessment wizard, click Add Test User → Custom → Agent Creates New Account.

By default the credential set is named Test user generator. Rename it if you want — this label is just for your reference.

Add Test User menu showing Custom > Agent Creates New Account

Describe How to Create Users

In the User creation instructions field, explain — in natural language — how the agent should generate accounts. Be explicit about:

Where to create users (a signup URL, or an admin endpoint).
What roles or variants you want (e.g. one viewer, one editor, one admin).
Any required fields like email, password, organization, or tenant.
Any tokens or admin credentials the agent should use.

Example using an admin API:

Create new users through the API for the following roles:
- viewer
- editor
- admin

Use the following curl request:
curl -X POST https://staging.example.com/api/admin/users \
    -H "x-api-key: test-admin-key" \
    -H "Content-Type: application/json" \
    -d '{"email":"[email protected]","password":"password","role":"editor"}'

Always create a unique email and a secure password.

Example using a signup form:

Create three new accounts via the signup form at https://staging.example.com/signup.

For each account:
1. Click "Sign up".
2. Enter a unique email and a strong password.
3. Submit the form and complete any onboarding screens.

Create one account per role (viewer, editor, admin) by selecting the matching plan during signup.

Authentication Set modal with User creation and Authentication instructions

Describe How to Log In

In the Authentication instructions field, describe the login flow for the users the agent just created. Use the placeholders <generated_username> and <generated_password> — Aikido replaces them with the real credentials when it tests each provisioned user.

Example:

1. Navigate to https://staging.example.com/login
2. Enter username: <generated_username>
3. Enter password: <generated_password>
4. Click "Log In"

Success criteria: The login is successful and the dashboard is visible.

Keep the success criteria unambiguous — a visible string on the post-login page works well.

Save & Test

Click Save & Test. Preflight runs in two passes:

The agent provisions the accounts.
The agent signs in with each new account and captures a session.

If both pass, the generator is replaced by the real test users in the assessment configuration. You're ready to launch the scan.

Tips & Best Practices

Use a dedicated admin token for the creation step — don't reuse a token tied to a real user.
Cover all roles you care about so Aikido can test for Broken Access Control between privilege levels.
Be explicit about email uniqueness — many apps reject duplicate signups silently. Ask the agent to generate a unique email per account.
Set a clear success criterion in the login instructions. Vague criteria like "the page loads" can pass when the user is actually stuck on an onboarding screen.
Iterate freely. If preflight fails, you can edit the instructions and click Save & Test again — previously provisioned users are archived automatically.

Troubleshooting

User creation failed: Check that the API or signup URL is reachable from Aikido's IP range, and that any admin token in your instructions is still valid. Walk through your curl request or signup form manually to confirm the steps are correct.
Login fails in the second preflight: Tighten the success criterion in your authentication instructions, or include any extra steps (email verification, onboarding modal, MFA) that appear for newly created accounts. If new users need to verify an email, combine this method with the Email Verification flow.
Wrong roles assigned: Be explicit in the creation instructions about which role each user should get. If your API picks a default role, override it in the request body.

Need help?

Open the Intercom chat in the bottom right corner of the Aikido dashboard — our team can help you craft creation and login instructions that work for your stack.

Last updated 25 days ago

Was this helpful?