My application requires multiple forms of authentication (e.g. reCAPTCHA)
At this time (v1.2) we cannot scan an application that requires multiple forms of authentication or prove-your-humanity checks; you must choose one of the methods listed in our Quick Guide to Authenticated Web Application Scanning.
Authentication is handled by a different domain
Login Request URL
Currently (v1.0) the scanner will only authenticate to URLs within the scope to be scanned. For example, if the entry point is
test.com/app, the logout URL would need to be something like
After authenticating, there is a login redirect
Login Request URL
There are two options for this:
My application uses Multi-Factor Authentication (MFA/2FA)
Currently (v1.2) it is not possible for our scanner to bypass multi-factor authentication checks.
There are a few options for this:
My application uses Single-Sign-On (SSO)
Currently (v1.2) our scanner isn't able to follow specific SSO authentication workflows (including AWS Cognito/SSO, Google Identity, Microsoft AzureAD, Okta, OneLogin, Auth0, JumpCloud etc.).
Authentication uses a JSON-based form
Unfortunately, we don’t support applications that have a JSON-formatted login request.
Authentication uses JWT's (JSON Web Tokens)
We do handle JWT's, however we don't currently support (in v1.2) the configuration of Local Storage within our headless browser which means we may not be able to crawl SPAs that use Local Storage to present an authenticated page.
I have a short authentication token validity period
If you have set up an authentication on one of your targets but the authentication values (e.g. the session cookie token or the header value) validity period is quite short, then this means you will need to update this value on the Target Detail page every time before you kick off a scan on the target.
My application uses passwordless One Time Passcode (OTP) authentication
At this time (v1.2) we are not able to retrieve the OTP sent to your email/phone number. For this reason, we would need you to use a workaround so that we can authenticate to the application without requiring the OTP code.