Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.hackgate.io/llms.txt

Use this file to discover all available pages before exploring further.

HackGATE is a managed security proxy gateway by Hackrate. It creates a dedicated *.hackgate.net subdomain in front of your web application, giving you complete control over who tests it, when, and how. Instead of exposing your real URL to researchers, you share the HackGATEd URL — and HackGATE handles access, rate limiting, traffic monitoring, and scope enforcement.

Quick start

Create your first HackGATE and invite researchers in minutes.

Core concepts

Learn about organizations, HackGATEs, projects, and hacker lists.

HackGATEs

Create, configure, enable, and schedule your security testing proxies.

Access control

Manage researcher allowlists, rate limits, and path-level block rules.

Who is HackGATE for?

HackGATE is built for security teams that run bug bounty programs or penetration tests and need more control over how researchers interact with their applications. If you manage a program where external researchers access your environment, HackGATE lets you enforce boundaries, track activity, and shut down access — without changing your application or exposing your production URL directly.

What you get

  • A controlled proxy URL on *.hackgate.net that sits in front of your application
  • Hacker allowlist (custom list) or open access modes per HackGATE
  • Rate limiting per site to cap requests per researcher
  • Path-level block rules that return a specified HTTP status for out-of-scope endpoints
  • Traffic analytics and WAF event monitoring across all researcher sessions
  • API coverage tracking to see which endpoints have been tested
  • PIE automated security checks that detect whether specific attack patterns were attempted
  • Scheduled start and stop windows to restrict testing to defined time periods
  • Project and scope management to organize engagements and define target boundaries

How authentication works

You authenticate to the HackGATE Admin API using a JWT Bearer token issued when you sign in to your account. Pass the token in the Authorization header for every API request: 
Authorization: Bearer <your-token>
All API endpoints require the Authorization header except the health check endpoint.
You can copy your Bearer token from your account settings at admin.hackgate.io. The admin dashboard uses your session JWT automatically when you are signed in.
Last modified on May 9, 2026