Skip to main content
HackGATE gives you two modes for controlling which researchers can connect to your site. You can open the environment to any researcher, or maintain a custom allowlist of approved emails.

Access modes

Open access (default): any researcher can connect to your site. You do not need to manage individual emails. Custom allowlist: only researchers whose email addresses you have explicitly added can connect. All other authenticated users are blocked at the proxy.

Switch between modes

Use the allowedHackerType endpoint to toggle the mode for a site. Set allowedHackerType to true to enable the custom allowlist, or false to return to open access. 
# Enable custom allowlist
curl -X POST https://api-admin.hackgate.io/api/sites/allowedHackerType \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"id": "SITE_ID", "allowedHackerType": true}'

# Switch back to open access
curl -X POST https://api-admin.hackgate.io/api/sites/allowedHackerType \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"id": "SITE_ID", "allowedHackerType": false}'

Add a researcher to the allowlist

curl -X POST https://api-admin.hackgate.io/api/sites/addHacker \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"siteId": "SITE_ID", "email": "researcher@example.com"}'
The response returns the updated list of all researchers currently on the allowlist for the site.

View the current allowlist

curl https://api-admin.hackgate.io/api/sites/getHackers/SITE_ID \
  -H "Authorization: Bearer <token>"
Response: 
[
  {
    "id": "HACKER_ENTRY_ID",
    "email": "researcher@example.com",
    "siteId": "SITE_ID"
  }
]

Remove a researcher

Use the id from the allowlist entry (returned by the getHackers endpoint) together with the researcher’s email and site ID. 
curl -X POST https://api-admin.hackgate.io/api/sites/removeHacker \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"id": "HACKER_ENTRY_ID", "siteId": "SITE_ID", "email": "researcher@example.com"}'
Custom allowlist mode requires researchers to authenticate with their registered email address. If you attempt to add a researcher who is already on the allowlist, the API returns a 400 error.