Auth Session Attribution

Auth Session Attribution is used to determine whether an API request is part of an authenticated user session. This helps in classifying APIs as Authenticated or Unauthenticated based on the presence of valid authentication information in the request.

Why it Matters

Identifying authenticated traffic is essential to:

How it Works

The AppSentinels platform uses header values, cookies, or JWT tokens to detect the presence of authentication information. This can be done using default fields or by configuring custom fields.

Default Auth Session Attribution

Out-of-the-box, AppSentinels supports common fields such as:

You can simply check the required fields to activate them.

Custom Auth Session Attribution

You can define custom logic to identify authenticated requests by specifying your own fields and formats. Click + New Custom Attribution to configure:

Field Description
Field Location Where to look for the auth token (e.g., Req.Header, Req.Cookie, Resp.Body).
Field sublocation The specific header or key name (e.g., authorization, x-auth-token).
Type (optional) Format of the token such as bearer.jwt, which allows parsing JWT claims.
Field to extract session identifier For JWT, specify the claim to extract as the identifier (e.g., sub, userId).
Regex (optional) Enable this if:
  • You want to match API URIs using regex (e.g., /api/v1/.*).
  • You want to extract auth token using a regex pattern.
APIs Select APIs this rule applies to or define a URI pattern using regex.

Once added, AppSentinels will apply this rule to incoming traffic and mark those APIs as authenticated if the configured token is present.

Example Configuration

Field Example Value
Field Location Req.Header
Field sublocation authorization
Type bearer.jwt
Field to extract identifier sub
Regex Off
APIs POST /user/login, GET /profile

This will tell AppSentinels to inspect the Authorization header for a JWT and extract the sub claim to identify whether the API request is authenticated.