File: authentication.md | Updated: 11/18/2025
Most apps protect their main functionality using authentication. If you cannot authenticate to the app then you will not be able to find the most interesting and impactful vulnerabilities. Unfortunately authentication is hard, especially as there are so many different ways that apps handle authentication.
These pages will tell you everything you need to know about testing an app with valid credentials in ZAP, they do not cover testing the authentication mechanism itself.
**Authentication decision tree ** - start here, it might just solve all of your authentication problems
**How to make your life easier ** - authentication is hard, don't make it harder than it needs to be
**Auto-Detection ** - if this works for you then it will make your life so much easier
**Documented SSO Solutions ** - these SSO providers have documented ways to make integration with tools like ZAP easier
**Manual authentication ** - how you can authenticate when testing manually
**ZAP authentication concepts ** - you will need to understand these in order to configure authentication in ZAP
**Handling authentication yourself in automation ** - how to handle authentication without as much ZAP configuration
**Finding a verification URL ** - you will need one of these
**Session handling ** - how to configure ZAP to maintain sessions
**Authentication methods ** - how ZAP authenticates to an app
Verification strategies - Coming Soon
**Diagnosing authentication problems ** - what to do if you are getting stuck
Monitoring with statistics - Coming Soon