FAQs

When you create a scan, Traceable evaluates one of the following inputs, along with the scan configuration: live trace data, replay trace data, or an uploaded API specification. Based on this evaluation, Traceable identifies the relevant API endpoints and runs the appropriate tests from the plugin library.

During scan execution, Traceable determines how to handle the authentication based on the authentication token's validity:

• If a valid authentication token is present in live or replay traffic or in the uploaded specification, Traceable uses it as received without requiring an active authentication configuration.

• If the authentication token is missing or expired, Traceable uses the authentication mechanism configured in the platform, allowing the scan to continue without interruption.

This approach ensures that scans remain targeted, relevant, and aligned with the plugin category applicable to each API endpoint.

Traceable uses strict controls to ensure authentication tokens are handled securely during scans:

• Any authentication token discovered in traffic is used exactly as received. Traceable never alters tokens or modifies them, except in one scenario where JWT security is intentionally tested, such as validating whether a token can be tampered with by an attacker.

• All sensitive user-related data is automatically redacted.

• Tokens received by Traceable are obfuscated and stored only in hashed form.

• Tokens are never stored in plain text and are never reused outside the scope of the scan.

Because of these redaction and protection controls, Traceable runs a limited set of authentication-related tests by default. If you require deeper authentication testing, Traceable recommends creating pre-hooks to control authentication behavior. For more information, see Authentication.

Traceable securely manages the credentials you use for AST authentication hooks via encryption and secure transmission protocols. This handling is based on how the hook is created or retrieved:

• When the hook is created from the Traceable platform — Your credentials are transmitted using a secure channel, encrypted, and then stored in the Traceable database.

• When the hook is retrieved using the CLI — Traceable decrypts the credentials and transmits them to the CLI using a gRPC channel securely.

Traceable uses hybrid encryption that combines symmetric and asymmetric algorithms to ensure security. The following table highlights the purpose and usage of these encryption methods:

The keys encrypted using the above methods are stored in secure vaults that follow industry-standard best practices.

Note

If you use a custom authentication hook written in Python, Traceable does not store your credentials. You can fetch the tokens dynamically, for example, by reading environment variables from the runner, container, or virtual machine.

This difference can occur due to multiple reasons:

• Scan in Progress — If the scan is still running, the number of scanned APIs is updated as tests are executed and uploaded. Traceable recommends reviewing the scan results after completion.

• Asset Selection Filters — Custom filters applied during scan creation, such as include/exclude rules for APIs, domains, services, or labels, may have caused some APIs to be skipped.

• Recently Added APIs — APIs discovered after the scan start are not included in the current scan.

• Inactive APIs — APIs that have not received any traffic in the past 15 days (default, but configurable) are marked as inactive and are removed from the environment configuration. You can check the last-seen timestamps for stored APIs by navigating to Testing → Environment Config and clicking the Stored APIs count for the respective environment.

• Unsupported API Types — Traceable only supports REST, GraphQL, and gRPC APIs for scans.