ApiElement requiresApiKey not working
10 views
Skip to first unread message
witse panneels
Nov 1, 2025, 2:26:48 PM (5 days ago) Nov 1
to ZAP Developer Group
I'm building an extension for a school project that requires some UI-elements (in browser). To do that we're using an ApiOther endpoint to serve html pages in the browser.
We would like the user to be able to request these API-endpoints without the need of the API-key.
We would like the user to be able to request these API-endpoints without the need of the API-key.
But when creating the endpoint and setting requiresApiKey to false. We can stil not querry the API without inserting the APIkey into the parameters.
this.addApiOthers(new ApiOther("name", params, false);
Is this a bug? or is this just not the correct way of doing this?
psiinon
Nov 3, 2025, 5:01:18 AM (3 days ago) Nov 3
to ZAP Developer Group
Hiya,
I'm not aware of any bugs in this area, and I often access the ZAP API with the API key disabled :)
The API is not really designed to serve HTML, so you will need to do some extra things.
Have a look at AntiCsrfAPI.java - that generates a form for testing for a lack of CSRF tokens.
You'll notice that it sets the content type to "text/html".
Also have a look at the zap.log file to see if any errors are logged: https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages