Scraping APIs and Authenticated Resources

Apr 25, 2023

Web scraping is a powerful technique for extracting data from websites, but it can become more challenging when dealing with APIs or resources that require authentication. In this article, we will explore various methods for scraping data from APIs and authenticated resources using Python. We'll cover topics such as basic authentication, CSRF token protection, and WAF-protected websites.

Understanding APIs and Authentication

An API (Application Programming Interface) is a set of rules and protocols that allows different software applications to communicate with each other. APIs define the methods and data formats that applications can use to request and exchange data. When scraping data from APIs, it's essential to understand the authentication mechanisms in place to access protected resources.

Authentication is the process of verifying the identity of a user or client before granting access to protected resources. Common authentication methods include:

  • Basic Authentication: Uses a username and password combination to authenticate requests.

  • Token-based Authentication: Requires a unique token (e.g., API key, access token) to be included in the request headers or parameters.

  • CSRF Token Protection: Utilizes a unique token to prevent Cross-Site Request Forgery attacks.

Scraping APIs with Basic Authentication

Basic Authentication is a simple authentication scheme that requires a username and password to be sent with each request. Here's an example of how to scrape data from an API endpoint that uses Basic Authentication:

import requests

from requests.auth import HTTPBasicAuth

username = 'your_username'

password = 'your_password'

url = ''

response = requests.get(url, auth=HTTPBasicAuth(username, password))

if response.status_code == 200:

data = response.json()

# Process the scraped data


print(f'Authentication failed. Status code: {response.status_code}')

In this example, we use the requests library to send a GET request to the protected API endpoint. We provide the username and password using the HTTPBasicAuth class from requests.auth. If the authentication is successful (status code 200), we can access the scraped data in the response.

Scraping Websites with CSRF Token Protection

Some websites implement CSRF token protection to prevent unauthorized requests. To scrape such websites, we need to extract the CSRF token from the HTML source and include it in our requests. Here's an example of how to scrape a website with CSRF token protection:

import requests

from bs4 import BeautifulSoup

session = requests.Session()

url = ''

# Send a GET request to the login page

response = session.get(url)

soup = BeautifulSoup(response.text, 'html.parser')

# Extract the CSRF token from the HTML

csrf_token = soup.find('input', {'name': 'csrf_token'})['value']

# Prepare the login payload

payload = {

'username': 'your_username',

'password': 'your_password',

'csrf_token': csrf_token


# Send a POST request to the login endpoint

response ='', data=payload)

# Check if the login was successful

if response.url == '':

print('Login successful')

# Proceed with scraping the protected pages


print('Login failed')

In this example, we use the requests library to send a GET request to the login page and extract the CSRF token from the HTML using BeautifulSoup. We then prepare the login payload, including the username, password, and CSRF token, and send a POST request to the login endpoint. If the login is successful, we can proceed with scraping the protected pages using the authenticated session.

Scraping WAF-Protected Websites

Websites protected by a Web Application Firewall (WAF) can be more challenging to scrape. WAFs act as a protective layer, filtering out malicious bots and traffic. To scrape WAF-protected websites, we often need to use a headless browser like Selenium to simulate human-like interactions. Here's an example of how to scrape a WAF-protected website using Selenium:

from selenium import webdriver

from selenium.webdriver.common.keys import Keys

import time

# Set up the Selenium WebDriver

driver = webdriver.Chrome() # Make sure you have ChromeDriver installed

# Navigate to the login page


# Find the email and password input fields and fill them in

email_field = driver.find_element_by_name('email')

password_field = driver.find_element_by_name('password')



# Submit the login form

login_button = driver.find_element_by_css_selector('button[type="submit"]')

# Wait for the login process to complete


# Navigate to the protected page


# Extract data from the protected page

# ...

# Close the browser


In this example, we use Selenium to automate the login process by finding the email and password input fields, filling them in, and submitting the login form. After a short wait to allow the login process to complete, we navigate to the protected page and extract the desired data. Finally, we close the browser using driver.quit().


Scraping APIs and authenticated resources requires a good understanding of the authentication mechanisms involved. By using the appropriate tools and techniques, such as the requests library for basic authentication, BeautifulSoup for extracting CSRF tokens, and Selenium for handling WAF-protected websites, you can successfully scrape data from various sources.

Remember to always respect the website's terms of service and be mindful of the legal and ethical considerations when scraping data. Happy scraping!

Let's get scraping 🚀

Ready to start?

Get scraping now with a free account and $25 in free credits when you sign up.