Skip to main content
blog title image

4 minute read - API Testing API Challenges

Challenge 37 and 38 - How To - Use Bearer Tokens

Jul 25, 2021

This post and video shows how to complete the Bearer Token challenges to GET and POST the secret note.

What are the API Challenges?

Our API Challenges Application has a fully functional cloud hosted API, and a set of challenges to work through.

Bearer Token Secret Note Challenges

Most of the challenges simply require the correct payload, and an X-Challenger header to track the session. The authentication challenges require an extra header, the value for which can only be obtained with a username and password. This value is obtained when completing challenge 30.

The X-CHALLENGER header authenticates you to access a specific set of secret notes, and the X-AUTH-TOKEN authorizes you to gain access.

  • Authentication is “are you who you say you are” (X-CHALLENGER)
  • Authorization is “do you have the right permissions” (X-AUTH-TOKEN)

Both Challenges 37 and 38 use the Bearer authentication mechanism and are so similar that we have covered them in one post.

Rather than use the X-AUTH-TOKEN header, we use the value returned in Challenge 30 for the X-AUTH-TOKEN but we add it as Bearer token authentication.

In Insomnia, use the “Auth” tab and select “Bearer” authentication. Then the toke value is the value of the X-AUTH-TOKEN from Challenge 30.

Challenge 37 GET /secret/note (Bearer)

Issue a GET request on the /secret/note end point receive 200 when using the X-AUTH-TOKEN value as an Authorization Bearer token - response body should contain the note

This challenge is almost a duplicate of the request used in challenge 33

  • Create a new request for the /secret/note end point
    • if running locally that endpoint would be
      • http://localhost:4567/secret/note
    • if running in the cloud that endpoint would be
      • https://apichallenges.herokuapp.com/secret/note
  • The verb should be a GET
  • Ensure there is no custom header with the name X-AUTH-TOKEN
  • Ensure there is an Auth Bearer header and the value is the same as received in the /secret/token response X-AUTH-TOKEN
  • The request should have an X-CHALLENGER header to track challenge completion
  • You should receive a 200 response and the body of the response will contain the secret note
> GET /secret/note HTTP/1.1
> Host: apichallenges.herokuapp.com
> User-Agent: insomnia/2021.2.2
> X-CHALLENGER: x-challenger-guid
> Authorization: Bearer x-auth-token-value
> Accept: */*

< HTTP/1.1 200 OK
< Connection: close
< Date: Sun, 25 Jul 2021 13:20:04 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

The response body would contain a “note”:

{
  "note": "my note is here"
}

Challenge 38 POST /secret/note (Bearer)

Issue a POST request on the /secret/note end point with a note payload e.g. {“note”:“my note”} and receive 200 when valid X-AUTH-TOKEN value used as an Authorization Bearer token. Status code 200 received. Note is maximum length 100 chars and will be truncated when stored.

This is almost a duplicate of challenge 34.

  • Create a new request for the /secret/note end point
    • if running locally that endpoint would be
      • http://localhost:4567/secret/note
    • if running in the cloud that endpoint would be
      • https://apichallenges.herokuapp.com/secret/note
  • The verb should be a POST
  • Ensure there is no custom header with the name X-AUTH-TOKEN
  • Add Bearer Token Auth where the token value is the same as received in the /secret/token response for the X-AUTH-TOKEN
  • The request should have an X-CHALLENGER header to track challenge completion
  • Add a JSON Payload of the format {"note":"my note"}
  • Include header for Content-type value application/json
  • If the text is too long it will be truncated
  • You should receive a 200 response
  • The body of the response will contain the secret note
> POST /secret/note HTTP/1.1
> Host: apichallenges.herokuapp.com
> User-Agent: insomnia/2021.2.2
> X-CHALLENGER: x-challenger-guid
> Content-Type: application/json
> Authorization: Bearer x-auth-token-value
> Accept: */*
> Content-Length: 37

| {
|   "note": "my note edited bearer"
| }

< HTTP/1.1 200 OK
< Connection: close
< Date: Sun, 25 Jul 2021 13:24:20 GMT
< X-Challenger: x-challenger-guid
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

Sample response body:

{
  "note": "my note edited bearer"
}

Overview Video

Patreon ad free version

Learn More and Start Testing

If you like this content then you might be interested in my Patreon Community. I create exclusive content multiple times a week. Gain access to Patreon only content and online training courses for as little as $1 per month. Learn more about the EvilTester Patreon Community.

All Posts | Categories | Archive

Join The Evil Tester Patreon Community

Free training courses and ebooks (sold for over $200).

Learn more about EvilTester on Patreon

Support our work and gain access to hints, tips, and prompts for improving your Software Development skills. Regular updates, multiple times a week for as little as $1 per month.

Patreon Members Login for exclusive courses and ebooks.

Contact

Contact Me

Join Email List

Email Privacy Details.

Online Training Courses

Technical Web Testing Course

Technical Web Testing Course

Evil Tester Talks Bundle

Evil Tester Talks Technical Testing Bundle

Selenium WebDriver Support Classes

Selenium WebDriver Support Classes in Java

All Courses

Books

Buy Dear Evil Tester Book Buy Java For Testers Book Buy Automating and Testing a REST API Buy Selenium Simplified Book

Learn more about our books

Follow

Podcasts and Videos

Podcasts

Subscribe to YouTube Channel

Need some motivation?

Try the Sloganizer

"Of course I'm not evil, I just pretend to be."

Recent Blog Posts

Modelling Software Testing for Naming and Understanding

Kubernetes kubectl cheat sheet notes

Updated Github Repos and Released Conference Talk

Recruit And interview people. Do not just fill roles

Testing The Triangle Application

On Modelling

June 2023 EvilTester.com and Patreon Content Summary

Episode 020 - The Test Automation Pyramid Episode - The Evil Tester Show

Also...

Recommended Reading List