JMeter Authorization with dynamic access token

Authorization with dynamic access token is used to pass the dynamic response content to the subsequent requests which can be further used in APIs to validate the authenticity.

This post will help you in fetching dynamic response of an HTTP request (with the help of Regular Expression Extractor) and use it further as a request parameter in subsequent HTTP request(s) (with the help of BeanShell PreProcessor).

For example, these days applications generate an access token in response to a valid login request and further use it in all the subsequent request(s) to check the authorization of users.

JMeter authorization with dynamic access tokens

It is useful when we want to test our APIs with dynamic access-token authorization rule or if an application uses this access token in multiple authorization request(s).

To solve the above problem, we will use JMeter (basic knowledge of JMeter is required).

Start creating JMeter script with below steps:

Add a ‘Thread Group’ under ‘Test Plan’

Add an HTTP Request sampler named as “Login Request” in our example, which accepts some parameters (for example, login credentials) and generates an access token in response, which could be used in subsequent authorization requests to check if a user is authorized to see details on other pages of the application.

See the below screenshot:

HTTP Request example

Add valid credentials in the parameters section.

Add ‘Regular Expression Extractor’ under Login Request.

We will use it to fetch dynamic access token from the response of Login Request. See the below screenshot-

Regular Expression Extractor

You will have to set following parameters for ‘Regular Expression Extractor’:

a) Reference Name: Name of the variable in which the extracted text will be stored. In our example, it is ‘BEARER’.

b) Regular Expression: The pattern against which the extracted text will be matched. You can read more about JMeter regular expressions here.
In this example I have used {“access_token”:”(.+?)” because I wanted to extract everything after {“access_token”:” string until next (inverted) comma.

c) Template: Grouping of strings within ( ) brackets. $1$ means 1st group, $2$ means 2nd group

d) Match Number: Tells which match should be picked. 0 is used for random.

e) Default Value: In case of no match which value should be picked.

Add an ‘HTTP Request’ sampler

Add an ‘HTTP Request’ sampler with your choice of name for subsequent requests. In this example, I have created a sampler named “Dashboard”. It requires access token in the authorization request.

Add ‘HTTP Header Manager’

Add ‘HTTP Header Manager’ under “Dashboard” request. Generally, for applications, it includes all the header requests which should be passed with the HTTP Request. Refer to the below screenshot-

Header Manager

Add ‘BeanShell PreProcessor

You need to add BeanShell PreProcessor under the “Dashboard” request. Add below code in the script section:
Remember when setting up “Regular Expression Extractor” earlier, we used reference name as BEARER? Refer to point #2. It is being used here in the get call.

The script that is mentioned in this step, will pass the BEARER value in the Authorization Header for “Dashboard” Request. See the following screenshot-

BeanShell PreProcessor

Add View Results Tree

Add View Results Tree in the Thread Group, save the script and run it.
Verify result for the Login Request. In the Response data, you should get “access_token”. See attached screenshot-

Login response

Verify result for the Dashboard Request. In the Request data, you can see Authorization header has the value “BEARER + access_token”. See attached screenshot-


We can use ‘Regular Expression Extractor’ to capture any dynamic data from the request and then it can be sent to subsequent requests using ‘BeanShell PreProcessor’. This approach makes it very simple to test APIs in which we need to get authentication token from the server and then passing it on all other requests.

You might also like