Skip to main content
Every HackGATE site has two plain-text fields — Credentials and Instructions — that researchers see when they access the proxied environment. Populating these fields before your pentest window starts ensures researchers can begin immediately without waiting for out-of-band communication.

Fields

  • Credentials — test account logins, API keys, or any other access details researchers need to authenticate with your application.
  • Instructions — scope definition, rules of engagement, out-of-scope areas, and contact information for your security team.
Include your vulnerability disclosure contact, expected response times, and any paths that are explicitly out of scope in the instructions field. Clear scope reduces noise and improves finding quality.

Set up credentials and instructions

1

Create the site

Create your HackGATE site and note the id from the response. You need it for both requests below.
2

Set credentials

Send a POST request to /api/sites/credentials with the site id and the credentials text:
curl -X POST https://api-admin.hackgate.io/api/sites/credentials \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"id": "SITE_ID", "credentials": "Username: tester@example.com\nPassword: TestPass123!"}'
3

Set instructions

Send a POST request to /api/sites/instructions with the site id and the instructions text:
curl -X POST https://api-admin.hackgate.io/api/sites/instructions \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"id": "SITE_ID", "instructions": "Scope: all paths under /api. Out of scope: /admin. Report findings to security@example.com"}'
4

Enable the site

Enable the site so researchers can connect. They will see the credentials and instructions you set as soon as the proxy is live.

Updating credentials and instructions

You can call either endpoint at any time to overwrite the current value. The update takes effect immediately — researchers will see the new content on their next page load. There is no version history; each call replaces the previous value.

Request fields

FieldTypeDescription
idstringThe site ID.
credentialsstringPlain text credentials for researcher access.
instructionsstringPlain text scope, rules, and contact information.