Skip to main content
The pensar auth command automates authentication to web applications, handling login flows, token verification, and auth mechanism discovery.

Synopsis

pensar auth --target <url> [options]

Description

The auth command helps you:
  • Automatically authenticate to applications
  • Discover authentication mechanisms
  • Verify bearer tokens and API keys
  • Test existing session cookies
  • Export authentication data for pentesting
Authentication data is securely stored and never exposed to AI models. Only authentication results and metadata are processed by AI.

Required Arguments

--target
string
required
Target URL to authenticate against.
pensar auth --target https://app.example.com
Should point to the application’s authentication endpoint or base URL.

Authentication Options

--username
string
Username for login.
pensar auth --target https://app.example.com --username admin
Used for form-based or API authentication.
--password
string
Password for login.
pensar auth \
  --target https://app.example.com \
  --username admin \
  --password SecurePass123
Passwords are never sent to AI models. They’re only used by browser automation tools.
--api-key
string
API key for authentication.
pensar auth \
  --target https://api.example.com \
  --api-key sk-1234567890abcdef
Tests API key authentication schemes.
--bearer
string
Bearer token to verify.
pensar auth \
  --target https://api.example.com \
  --bearer "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Verifies an existing JWT or bearer token.
--cookies
string
Existing session cookies to verify.
pensar auth \
  --target https://app.example.com \
  --cookies "session=abc123; user_id=456"
Tests if existing cookies grant authenticated access.

Configuration Options

--model
string
default:"claude-sonnet-4-5"
AI model to use for authentication discovery.
pensar auth --target ... --model claude-opus-4
--no-browser
boolean
Disable browser automation tools.
pensar auth --target ... --username ... --password ... --no-browser
Forces API-based authentication only (faster but may not work for complex login flows).
--discover-only
boolean
Only discover authentication requirements without attempting login.
pensar auth --target https://app.example.com --discover-only
Useful for understanding auth requirements before providing credentials.

Examples

Discover Authentication

Learn what authentication is required: 
pensar auth --target https://app.example.com --discover-only

==========================================================
AUTHENTICATION DISCOVERY
==========================================================
Target: https://app.example.com

→ Analyzing authentication mechanisms...
✓ Detected: Form-based login
  Login URL: https://app.example.com/login
  Fields: username, password
  Method: POST

→ Additional requirements:
  - CSRF token required
  - reCAPTCHA present (may need manual bypass)

To authenticate:
  pensar auth \
    --target https://app.example.com \
    --username <user> \
    --password <pass>

Form-Based Login

Authenticate with username/password: 
pensar auth \
  --target https://app.example.com \
  --username testuser \
  --password testpass123

==========================================================
AUTHENTICATION
==========================================================
Target:   https://app.example.com
Method:   Form-based login
Username: testuser

→ Navigating to login page...
✓ Found login form
→ Filling credentials...
→ Submitting form...
✓ Login successful

→ Extracting session data...
✓ Session cookies captured
✓ Auth tokens extracted

Authentication data saved to:
  ~/.pensar/auth/app.example.com/session.json

Exported data:
  - Cookies: session=..., csrf_token=...
  - Headers: Authorization: Bearer eyJ...
  - Valid until: 2024-03-05 18:30:00 UTC

Use this session for pentesting:
  pensar pentest --target https://app.example.com --auth-file ~/.pensar/auth/app.example.com/session.json

API Key Verification

Test if an API key is valid: 
pensar auth \
  --target https://api.example.com \
  --api-key sk-1234567890abcdef

Bearer Token Verification

Verify a JWT token: 
pensar auth \
  --target https://api.example.com \
  --bearer "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

==========================================================
TOKEN VERIFICATION
==========================================================
Target: https://api.example.com

→ Testing bearer token...
✓ Token is valid
→ Decoding JWT...

Token details:
  - Algorithm: HS256
  - Subject: 1234567890
  - Name: John Doe
  - Issued: 2018-01-18 01:30:22 UTC
  - Expires: Not set (does not expire)

Permissions:
  - Access to: /api/users, /api/posts
  - Role: admin

⚠ Warning: Token does not expire (security risk)
Test existing cookies: 
pensar auth \
  --target https://app.example.com \
  --cookies "session_id=abc123xyz; remember_token=def456"

OAuth Authentication

For OAuth flows, use discovery first: 
# Discover OAuth requirements
pensar auth --target https://app.example.com --discover-only

# Follow instructions for OAuth (browser-based flow)
pensar auth --target https://app.example.com

Authentication Methods Supported

Traditional HTML form login:
pensar auth \
  --target https://app.example.com \
  --username user \
  --password pass
Handles:
  • CSRF tokens
  • Hidden form fields
  • POST/GET methods
  • Session cookies

Use Cases

Pentesting Authenticated Apps

Get auth data before running pentest

Token Validation

Verify JWT tokens and API keys

Auth Flow Testing

Test OAuth and complex auth flows

Session Management

Reuse sessions across multiple pentests

Exported Authentication Data

Authentication data is saved to ~/.pensar/auth/<domain>/session.json: 
{
  "target": "https://app.example.com",
  "method": "form-based",
  "authenticated": true,
  "cookies": {
    "session": "abc123...",
    "csrf_token": "xyz789..."
  },
  "headers": {
    "Authorization": "Bearer eyJ..."
  },
  "expires": "2024-03-05T18:30:00Z",
  "permissions": ["read:users", "write:posts"]
}
Use in pentest: 
pensar pentest \
  --target https://app.example.com \
  --auth-file ~/.pensar/auth/app.example.com/session.json

Troubleshooting

Common causes:
  1. Incorrect credentials - Verify username/password
  2. CAPTCHA present - May require manual solving
  3. Rate limiting - Target may block automated login
  4. MFA required - See Authentication Guide for MFA support
Check:
# Verify token format
echo "$TOKEN" | base64 -d

# Check if token is expired
# (JWT expiration is in 'exp' claim)
Use jwt.io to decode and inspect tokens.
Try without browser:
pensar auth \
  --target ... \
  --username ... \
  --password ... \
  --no-browser
Or ensure browser dependencies are installed:
pensar doctor

Next Steps

Authentication Guide

Learn about advanced auth scenarios

Run Pentest

Use auth data for authenticated pentesting

Sessions

Manage authentication sessions

API Reference

Programmatic authentication API

Build docs developers (and LLMs) love

Get started for freeTalk to us