Skip to main content

Jul 25, 2021 - 4 minute read - API Testing API Challenges Evil Tester

Challenge 37 and 38 - How To - Use Bearer Tokens

This post and video shows how to complete the Bearer Token challenges to GET and POST the secret note.

What are the API Challenges?

Our API Challenges Application has a fully functional cloud hosted API, and a set of challenges to work through.

Bearer Token Secret Note Challenges

Most of the challenges simply require the correct payload, and an X-Challenger header to track the session. The authentication challenges require an extra header, the value for which can only be obtained with a username and password. This value is obtained when completing challenge 30.

The X-CHALLENGER header authenticates you to access a specific set of secret notes, and the X-AUTH-TOKEN authorizes you to gain access.

  • Authentication is “are you who you say you are” (X-CHALLENGER)
  • Authorization is “do you have the right permissions” (X-AUTH-TOKEN)

Both Challenges 37 and 38 use the Bearer authentication mechanism and are so similar that we have covered them in one post.

Rather than use the X-AUTH-TOKEN header, we use the value returned in Challenge 30 for the X-AUTH-TOKEN but we add it as Bearer token authentication.

In Insomnia, use the “Auth” tab and select “Bearer” authentication. Then the toke value is the value of the X-AUTH-TOKEN from Challenge 30.

Challenge 37 GET /secret/note (Bearer)

Issue a GET request on the /secret/note end point receive 200 when using the X-AUTH-TOKEN value as an Authorization Bearer token - response body should contain the note

This challenge is almost a duplicate of the request used in challenge 33

  • Create a new request for the /secret/note end point
    • if running locally that endpoint would be
      • http://localhost:4567/secret/note
    • if running in the cloud that endpoint would be
      • https://apichallenges.herokuapp.com/secret/note
  • The verb should be a GET
  • Ensure there is no custom header with the name X-AUTH-TOKEN
  • Ensure there is an Auth Bearer header and the value is the same as received in the /secret/token response X-AUTH-TOKEN
  • The request should have an X-CHALLENGER header to track challenge completion
  • You should receive a 200 response and the body of the response will contain the secret note
> GET /secret/note HTTP/1.1
> Host: apichallenges.herokuapp.com
> User-Agent: insomnia/2021.2.2
> X-CHALLENGER: x-challenger-guid
> Authorization: Bearer x-auth-token-value
> Accept: */*

< HTTP/1.1 200 OK
< Connection: close
< Date: Sun, 25 Jul 2021 13:20:04 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

The response body would contain a “note”:

{
  "note": "my note is here"
}

Challenge 38 POST /secret/note (Bearer)

Issue a POST request on the /secret/note end point with a note payload e.g. {“note”:“my note”} and receive 200 when valid X-AUTH-TOKEN value used as an Authorization Bearer token. Status code 200 received. Note is maximum length 100 chars and will be truncated when stored.

This is almost a duplicate of challenge 34.

  • Create a new request for the /secret/note end point
    • if running locally that endpoint would be
      • http://localhost:4567/secret/note
    • if running in the cloud that endpoint would be
      • https://apichallenges.herokuapp.com/secret/note
  • The verb should be a POST
  • Ensure there is no custom header with the name X-AUTH-TOKEN
  • Add Bearer Token Auth where the token value is the same as received in the /secret/token response for the X-AUTH-TOKEN
  • The request should have an X-CHALLENGER header to track challenge completion
  • Add a JSON Payload of the format {"note":"my note"}
  • Include header for Content-type value application/json
  • If the text is too long it will be truncated
  • You should receive a 200 response
  • The body of the response will contain the secret note
> POST /secret/note HTTP/1.1
> Host: apichallenges.herokuapp.com
> User-Agent: insomnia/2021.2.2
> X-CHALLENGER: x-challenger-guid
> Content-Type: application/json
> Authorization: Bearer x-auth-token-value
> Accept: */*
> Content-Length: 37

| {
|   "note": "my note edited bearer"
| }

< HTTP/1.1 200 OK
< Connection: close
< Date: Sun, 25 Jul 2021 13:24:20 GMT
< X-Challenger: x-challenger-guid
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

Sample response body:

{
  "note": "my note edited bearer"
}

Overview Video

Watch on YouTube

Patreon ad free version

Learn More and Start Testing


You will need a Github account to comment. Or you can contact me with your comment.

I reserve the right to delete spam comments e.g. if your comment adds no value and its purpose is simply to create a backlink to another site offering training, or courses, etc.