Authorization Configuration while OPENAPI swagger.json import.

[Ashar Khalil]

Hi ZAP folks — I’m stuck and could use some help.

ZAP version: Latest
OS: Windows

What I did:

1. Created a Context named “MyAPI”.

2. Set Session Management → Header-based → Header name: Authorization, Header value: Bearer <TOKEN>.

3. Added a user beareruser and enabled it.

4. Enabled Force User Mode from the toolbar.

5. Imported swagger.json into ZAP and selected the context and user during import.

Problem:

• Requests imported or captured in ZAP (via Sites / Proxy / Resend) do not include the Authorization header — it’s never injected.

• I confirmed Force User Mode is active, the user is enabled, and session management is configured correctly.

Questions:

• Am I missing a specific setting to map imported requests to the correct Context/User?

• Why doesn’t header-based session management inject the Authorization header automatically once the user is active?

• As soon as I import my swagger.json, ZAP starts sending the requests — but all of them go out without the Authorization header that my API needs.

Thanks in advance for any pointers or workarounds.

Best,
Ashar

[Simon Bennetts]

Hi Ashar,

Dont use Forced User Mode in automation!

We've updated the docs to say this as well: https://www.zaproxy.org/docs/desktop/start/features/authentication/#forceduser

For authentication your stating point should be https://www.zaproxy.org/docs/authentication/

Cheers,

Simon