Authentication
Many web applications require login before Swarm QA can access protected pages. The authentication module lets you configure login credentials so agents can scan behind authentication walls.
Configuration
Set up authentication in Swarm QA > Settings > Authentication or in Expert Mode before starting a scan:
| Field | Description | Example |
|---|---|---|
| Login URL | The page containing the login form | https://app.example.com/login |
| Username selector | CSS selector for the username/email input | #email or input[name="username"] |
| Password selector | CSS selector for the password input | #password or input[type="password"] |
| Submit selector | CSS selector for the login button | button[type="submit"] or #login-btn |
| Success indicator | Element visible only after successful login | .dashboard-header or [data-testid="user-menu"] |
| Username | The login username or email | qa-scanner@example.com |
| Password | The login password | Stored encrypted locally |
How It Works
Before the scan begins, Swarm QA executes the login flow:
- Navigates to the Login URL.
- Fills the username and password fields using the configured selectors.
- Clicks the submit button.
- Waits for the success indicator to appear in the DOM.
- Captures the authenticated session (cookies and local storage).
- All agents use the authenticated session for their requests.
WARNING
If the success indicator is not found within 15 seconds, the scan aborts with an authentication failure error. Verify your selectors match the actual login form.
Per-Project Credentials
Authentication settings are stored per project. Different projects can have different login configurations, and switching projects in xyva automatically loads the correct credentials.
TIP
Create a dedicated QA service account for Swarm scanning. This avoids locking out real user accounts and lets you filter scan activity in your application's audit logs.
Multi-Factor Authentication
Swarm QA does not support interactive MFA flows (TOTP, SMS codes, push notifications). To scan MFA-protected applications:
- Disable MFA for the QA service account in your staging environment.
- Use an API token or session cookie instead of username/password login.
- Configure a test environment that bypasses MFA.
Credential Security
- Passwords are encrypted at rest using Electron's
safeStorageAPI. - Credentials are never sent to LLM providers or included in AI enrichment prompts.
- Credentials are never included in PDF reports or webhook payloads.
- The password field is masked in the UI and only editable, not readable.
Technical: safeStorage encryption
Electron's safeStorage uses the operating system's credential store (Keychain on macOS, DPAPI on Windows, libsecret on Linux) to encrypt sensitive values. The encrypted blob is stored in the project configuration file, but it cannot be decrypted without access to the same OS user account.