Note: Authenticated scanning is available under the Enterprise plan only. For details on current plans and billing options, visit the Secure Privacy Pricing page.
Scanning Cookies & Trackers on Login-Protected Pages: Authenticated Website Scanning in Secure Privacy
Most cookie compliance tools only see what an anonymous visitor sees — the public-facing pages of your site. But if your web application shows a dashboard, a member portal, or any content behind a login wall, a significant portion of your cookies, third-party services, iframes, and tracking pixels are completely invisible to a standard scan. The result: a cookie audit with a blind spot, and a compliance report that may be dangerously incomplete under GDPR, CCPA, or other privacy regulations.
Manual auditing is one painful workaround — but maintaining a spreadsheet of every script that loads after authentication is time-consuming, error-prone, and nearly impossible to keep current as your tech stack evolves. Generic website scanners that don't support login simply can't help you here.
Secure Privacy's authenticated website scanning solves this directly. By logging in to your web application as a real user — via form-based login, OAuth 2.0, OpenID Connect, or API key authentication — the scanner reaches your protected pages and surfaces every cookie and tracker your authenticated users encounter, feeding them directly into your compliance reports and consent management workflow.
By the end of this guide, you'll understand which authentication methods are supported, what information you need to provide for each, and how to get started so that your cookie audit covers 100% of your website — not just the publicly accessible portion.
Who Is This For?
Authenticated scanning is designed for teams who manage web applications where meaningful functionality — and significant data processing — happens only after a user logs in. This includes:
SaaS platforms and web apps with user accounts or dashboards
E-commerce sites with customer portals or checkout flows that load additional trackers
Membership sites, intranets, or subscription content platforms
Any organization subject to GDPR, CCPA, or ePrivacy that needs a complete picture of cookie usage across all authenticated user journeys
If your website loads different scripts, pixels, or services after a user logs in, authenticated scanning is essential for accurate compliance reporting.
In this guide:
Why Your Cookie Audit May Be Incomplete Without Authenticated Scanning
Without authentication enabled, the Secure Privacy scanner — like any website scanner — can only analyze the publicly accessible portion of your website: the pages available before a user logs in. However, web applications routinely load additional cookies, third-party services, iframes, and tracking pixels only after a user authenticates. Analytics platforms, CRM integrations, support widgets, and advertising pixels often fire exclusively within the authenticated session.
If those elements are not detected and documented, they cannot be categorized, disclosed in your cookie policy, or gated behind user consent — leaving you exposed to regulatory risk. Authenticated scanning closes that gap, giving you a complete and accurate picture of your website's cookie and tracker usage across every user journey.
Supported Authentication Methods
The Secure Privacy Website Scanner supports four methods for performing authenticated scans on login-protected pages:
Form-based authentication — standard username/password login forms
OAuth 2.0 — including client credentials, resource owner password, authorization code, and other grant types
OpenID Connect — identity layer on top of OAuth 2.0 for SSO and federated login
API keys — including custom header-based and authorization header authentication
Prerequisites
Before configuring authenticated scanning, confirm the following:
Your Secure Privacy account is on the Enterprise plan. Authenticated scanning is not available on lower-tier plans.
You have a dedicated test or service account in your web application that the scanner can use to log in. Using a real user account is not recommended, as the scanner will create active sessions.
The login credentials or OAuth / API key details for that account are available to you.
For OAuth 2.0 or OpenID Connect: you have access to your application's client ID, client secret, token endpoint URL, and relevant scopes.
Form-Based Authentication — Configuration
Form-based authentication allows the Secure Privacy scanner to log in to your web application using a valid set of credentials, then scan the authenticated pages for cookies and services. To configure this method, provide the following details in your scanner settings.
Step 1 — Provide the Login URL
Enter the full URL of the page that contains your application's login form. This is the page the scanner will navigate to in order to submit credentials — for example, https://app.yourdomain.com/login. Make sure this URL loads the form directly, without any redirects that require prior interaction.
Step 2 — Enter the Username
Provide a valid username or email address for a dedicated scanning account in your application. The scanner will use this account to authenticate and access protected pages. We recommend creating a dedicated service account rather than using a real user's credentials.
Step 3 — Enter the Password
Enter the password associated with the scanning account username provided in Step 2. Secure Privacy stores and handles these credentials securely as part of the Enterprise scanning configuration.
OAuth 2.0, OpenID Connect, and API Key Authentication
These authentication methods require additional configuration details specific to your application's authorization protocol and flow. The Secure Privacy team will work with you directly to understand your application's setup — including token endpoints, grant types, scopes, client credentials, and header formats — and assist with the custom configuration required to complete the integration.
To get started with OAuth 2.0, OpenID Connect, or API key authenticated scanning, contact the Secure Privacy support team at [email protected] and include a brief description of your application's authentication method.
What Happens After the Authenticated Scan
Once authenticated scanning is configured and a scan is complete, Secure Privacy processes the results in the same way as a standard scan — but with full coverage of your login-protected pages:
All detected cookies and services from authenticated pages are added to your cookie inventory and classified by category (Necessary, Analytics, Marketing, etc.).
Newly discovered cookies are surfaced for review so you can update your cookie policy and consent banner to reflect them accurately.
Your compliance report reflects the complete state of cookie usage across both public and authenticated areas of your site.
We recommend running authenticated scans whenever you deploy significant changes to your web application, or on the same schedule as your standard scans, to keep your cookie inventory current.
Troubleshooting Authenticated Scanning
The scanner doesn't appear to be reaching authenticated pages
Verify that the Login URL you provided loads the login form directly and does not redirect to an intermediary page (such as an SSO provider page or a cookie consent gate) before displaying the form. Also confirm that the credentials belong to an active account with no enforced MFA, as multi-factor authentication prompts will block the scanner from completing the login flow. If MFA is required, contact Secure Privacy support to discuss options.
OAuth 2.0 or OpenID Connect configuration isn't completing
OAuth and OpenID Connect integrations depend on application-specific parameters — token endpoint URLs, client IDs, scopes, and grant types — that vary between implementations. If the configuration is not completing, reach out to [email protected] with your authorization server details. The Secure Privacy team handles these integrations collaboratively and can guide you through the required settings.
Frequently Asked Questions
Do I need to scan cookies behind a login for GDPR compliance?
Yes. Under GDPR and the ePrivacy Directive, your obligation to obtain consent covers all cookies and tracking technologies that process personal data — regardless of whether they are set on public pages or within an authenticated session. If your web application loads analytics, advertising, or other non-essential cookies after a user logs in, those must be disclosed in your cookie policy and covered by your consent mechanism. Authenticated scanning ensures those cookies are detected and documented.
Can a standard website cookie scanner detect cookies behind a login?
No. Standard website scanners crawl your site as an unauthenticated visitor and cannot access any content that requires a login. If your application loads cookies or third-party services exclusively within authenticated sessions, those will not appear in a standard scan report. Authenticated scanning — as offered by Secure Privacy on the Enterprise plan — is required to detect cookies on password-protected or login-gated pages.
Which authentication methods does Secure Privacy's scanner support?
Secure Privacy supports four authenticated scanning methods: form-based authentication (username and password login forms), OAuth 2.0 (all major grant types), OpenID Connect, and API key / authorization header-based authentication. For OAuth, OpenID Connect, and API key configurations, the Secure Privacy support team assists with setup.
Is authenticated scanning available on all Secure Privacy plans?
No. Authenticated website scanning is available exclusively on the Secure Privacy Enterprise plan. If you are on a lower-tier plan and need this feature, visit the Secure Privacy Pricing page for details on upgrading.
Does the scanner support sites that require multi-factor authentication (MFA)?
Standard form-based authenticated scanning does not support MFA, as the additional authentication step cannot be automated with a username and password alone. If your application enforces MFA for all accounts, contact [email protected] to discuss alternative configuration options such as OAuth 2.0 client credentials or API key-based access.
Related Articles
Understanding Your Website Scan Results and Cookie Report[?]
Auto-Updating Cookie Policy: Keeping Your Disclosure Accurate