User ID Attribution
User ID Attribution enables the AppSentinels platform to associate API requests with individual users. Instead of just relying on IP addresses, it links each request to a specific user identifier—helping enrich threat detection and behavior analytics with user-level granularity.
Why It Matters
- Helps track which user initiated each API call.
- Enables user-specific threat detection (e.g., stolen token usage, privilege abuse).
- Enhances visibility into user activity patterns across sessions and APIs.
How It Works
AppSentinels extracts user identifiers from headers, cookies, or tokens in requests or responses. These identifiers are then linked with API sessions previously established through Session Attribution.
Default User ID Attribution
AppSentinels supports commonly used fields out-of-the-box. You can enable any of the following defaults:
req.header.Cookie.UserIDreq.header.X-MSISDNreq.header.X-IMEIreq.header.X-USERreq.header.Fromreq.header.X-UIDreq.header.Set-Cookie.UserID
These fields help identify users without requiring manual configuration.
Custom User ID Attribution
If your application uses a custom header or embeds user data in JWT tokens, you can define custom rules. Click + New Custom Attribution to open the configuration:
| Field | Description |
|---|---|
| Field Location | Choose where the user identifier resides. Options include: Req.Header, Req.Cookie, Resp.Header, Resp.Body, etc. |
| Field sublocation |
The specific key or field from which the user ID is to be
extracted. Examples: authorization, x-user-id,
x-user-token.
|
| Type (optional) |
Select the format of the data—commonly bearer.jwt if
it's a JWT token. This helps in parsing and extracting specific
claims.
|
| Field to extract session identifier |
(Mandatory when type is JWT) Specify the JWT claim that contains the user ID. Examples: sub, email, or nested fields
like data.userId.
|
| Regex (optional) | Enable this if you want to match API URIs using a regex expression. |
| APIs | Choose specific APIs this rule applies to. If Regex is enabled, the value here will be treated as a pattern for API URI matching. |
Example Configuration
| Field | Example Value |
|---|---|
| Field Location | Req.Header |
| Field sublocation | authorization |
| Type | bearer.jwt |
| Field to extract identifier | data.email |
| Regex | Off |
| APIs | All or selected endpoints |
This config helps AppSentinels extract the user’s email ID from a JWT in the Authorization header, making it possible to attribute API activity to that user.