A11YSmith

Auth Profiles

Auth profiles attach authentication to web accessibility assessments without pasting secrets into the workbench UI. Each profile stores a strategy and a configuration object. Secret values are resolved from environment variables at runtime.

Auth profiles apply to web live runs only. Native artifact runs do not use auth profiles.

Supported Strategies

Authentication strategies
Strategy Description Use Case
storage-state Load a Playwright storage state file (cookies and localStorage) from a prior browser session Reuse an existing login session without re-authenticating
scripted-login Execute an ordered sequence of browser automation steps to log in Automated login flows with username/password or multi-step authentication
headers Inject HTTP headers into every request during the audit Bearer tokens, API keys, or custom auth headers

storage-state

Load a Playwright storage state file captured from a prior browser session.

{
  "id": "staging-cookies",
  "name": "Staging Cookies",
  "strategy": "storage-state",
  "config": {
    "storageStatePath": "/path/to/storage-state.json"
  },
  "created_at": "2026-01-15T10:00:00.000Z"
}

To generate a storage state file:

npx playwright codegen --save-storage=storage-state.json https://example.com

Log in manually in the browser that opens, then close it. The resulting file contains cookies and localStorage entries that Playwright will inject before navigating to your audit URLs.

scripted-login

Execute an ordered sequence of browser automation steps to log in before the audit begins.

{
  "id": "prod-login",
  "name": "Production Login",
  "strategy": "scripted-login",
  "config": {
    "steps": [
      { "action": "navigate", "url": "https://example.com/login" },
      { "action": "fill", "selector": "#username", "value": { "env": "AUDIT_USERNAME" } },
      { "action": "fill", "selector": "#password", "value": { "env": "AUDIT_PASSWORD" } },
      { "action": "click", "selector": "button[type=submit]" },
      { "action": "wait-for-url", "pattern": "**/dashboard**" }
    ]
  },
  "created_at": "2026-01-15T10:00:00.000Z"
}

Available step actions

Scripted login step actions
Action Fields Purpose
navigateurlGo to a URL
fillselector, valueType into an input
clickselectorClick an element
waitselectorWait for an element to appear
wait-for-urlpatternWait for the URL to match a glob
wait-for-timeoutmsWait a fixed number of milliseconds

Values can be a plain string or an { "env": "VAR_NAME" } reference. Environment variable references are resolved at execution time from your shell environment.

headers

Inject HTTP headers into every request during the audit.

{
  "id": "api-bearer",
  "name": "API Bearer Token",
  "strategy": "headers",
  "config": {
    "headers": {
      "Authorization": { "env": "AUDIT_BEARER_TOKEN" },
      "X-Custom-Header": "static-value"
    }
  },
  "created_at": "2026-01-15T10:00:00.000Z"
}

Header values can be plain strings or { "env": "VAR_NAME" } references.

Profile ID Format

Profile IDs must be lowercase alphanumeric with hyphens, starting with a letter or digit.

Security Model

Using a Profile in an Audit

  1. Create the profile via the workbench UI or the API (POST /api/auth-profiles).
  2. Ensure the required environment variables are set in your shell before starting the workbench.
  3. When creating a new web audit, select the profile from the dropdown.
  4. The profile ID is stored in the run config. At execution time, the profile is resolved and its config is passed to the web auditor.
  5. After use, the profile's last_used_at timestamp is updated.

API Reference

Auth profile API endpoints
Method Route Purpose
GET/api/auth-profilesList all profiles (ID, name, strategy only)
POST/api/auth-profilesCreate or update a profile
DELETE/api/auth-profiles/:idDelete a profile