Audit the pages behind your login
Most accessibility tools stop at public URLs. TestKase scans authenticated pages using your choice of cookie, login-form, or custom header authentication — so dashboards, settings, and admin panels finally get audited.
session=eyJhbGciOiJIUzI1NiIs…csrf=Tx9v4QmA9fN2…/dashboard/settings/team/admin/billingThree authentication methods. Zero compromises.
Pick whichever mechanism mirrors the way a real user reaches the page — cookies, forms, or headers.
Cookie-based
Paste your session cookies directly. TestKase replays them with each request — ideal for stateful session auth.
Login-form
Provide the login URL, input selectors, and credentials. TestKase submits the form, captures the session, and proceeds to audit.
Header-based
Inject Authorization headers, API keys, or custom tokens. Perfect for SSO, OAuth bearer flows, and machine auth.
The pages your public scanner can't reach
Audit the product where your real users live — not just the marketing site.
User dashboards
Home screens, onboarding flows, and in-product settings finally get tested.
Admin panels
Org-wide admin, billing, and role management — the highest-liability surfaces.
Account settings
Profile, preferences, security pages — where power users spend their time.
Multi-tenant surfaces
Workspace-scoped pages that only resolve with a valid session token.
Gated reports
Analytics dashboards, exports, and per-account reports behind role-based gates.
Internal tools
Employee-only dashboards and internal tooling that still need to meet WCAG.
Your credentials, handled carefully
TestKase is built for production apps where the credentials matter. We store the minimum required, encrypt at rest, and scope every value to the scan that requested it.
Every credential stored in TestKase is encrypted with per-tenant keys. No plaintext cookies or passwords in the database.
Credentials are only pulled by the scan that needs them, held in memory for the crawl, and discarded after. Never logged.
Change or delete a credential and every downstream scan picks up the new value on the next run. No background re-use.
Minimal config, maximum coverage
Each auth method takes a handful of fields. Paste once, reuse across every scan in the workspace.
Paste cookies from a signed-in browser. Ideal for stateful session auth (Rails, Laravel, Django, Express + express-session).
Provide the form URL, selectors, and credentials. TestKase submits the form, catches the session, and proceeds to scan.
Inject Authorization headers or API keys. Works with OAuth bearer flows, API-key auth, and SSO token-exchange patterns.
Plays well with SSO and identity providers
Your real users log in through Okta, Auth0, or Azure AD — and so can TestKase. Use header-based auth for post-SSO sessions or let the form walker handle the provider's UI.
Authenticated Scanning FAQ
Use cookie-based auth if you already have a signed-in browser session you can copy from. Use login-form if you want TestKase to re-authenticate on demand. Use header-based for SSO/API/bearer-token flows where a form walk is not possible.
Explore the rest of TestKase Accessibility
One product, five focused modules. Every one plays well with the others.
WCAG reports for any URL — severity-graded with selectors.
Learn moreCatch issues that only appear during live user interaction.
Learn moreDevTools panel for on-demand scans on any open tab.
Learn moreRoute scans to the engineers who can actually fix them.
Learn moreScan the pages your customers actually use
Authenticated scans are included on the free plan. Paste a cookie, kick off an audit.