Make a raw request to Probely API (path relative to base).

IMPORTANT: For authentication configuration, use probely_update_target instead:

• HTTP Basic Auth: use basic_auth_username and basic_auth_password parameters

• API Headers/Cookies Auth: use api_auth_headers and api_auth_cookies parameters

This tool is for advanced use cases or API endpoints not covered by dedicated tools.

When using this tool, reference saved credentials using the URI format 'credentials://<credential_id>' (e.g., 'credentials://4DY4qGohso1r'). Get credential URIs from probely_list_credentials or probely_create_credential. Do NOT use template syntax like {{cred-name}}.

List credentials. Sensitive values are not returned.

Returns credentials with their 'uri' field (e.g., 'credentials://4DY4qGohso1r'). Use this exact URI format when configuring authentication (basic_auth, headers, etc.). Do NOT use template syntax like {{cred-name}}.

Get a credential by ID. Value is null if sensitive.

Returns the credential with its 'uri' field (e.g., 'credentials://4DY4qGohso1r'). Use this URI to reference the credential in authentication configs.

Create a credential for secure storage. Use is_sensitive=True for passwords. Returns the credential with id and uri. Use the uri (e.g. "credentials://xxxx") as the value in custom_field_mappings to link it to a sequence.

Update a credential (partial update).

Create a new target. Use labels to assign label names (e.g. ["Agentic", "Production"]). Existing labels are reused; missing ones are created automatically. Use scanning_agent_id to assign a scanning agent for internal/private targets.

Set allow_duplicate=True to create a target even if another target with the same URL already exists. This is useful when you want multiple targets for the same URL with different configurations (e.g., different auth methods, different test scenarios).

If target creation fails because the target is unreachable or the domain cannot be resolved, ask the user whether to retry with skip_reachability_check=True.

IMPORTANT: The response contains a top-level id (the target ID) and a nested site.id (the site ID). Always use the top-level id as the targetId parameter for all subsequent tool calls (sequences, scans, logout detection, etc.).

Update a target. Use labels to assign label names (e.g. ["Agentic", "Production"]). Existing labels are reused; missing ones are created automatically. Use scanning_agent_id to assign or change the scanning agent. Pass "" to remove it.

IMPORTANT: The headers/cookies parameters are for general custom headers/cookies sent with every scan request (NOT for authentication). They use a simple structure: {"name": "...", "value": "..."}.

For HTTP Basic Auth authentication: Use basic_auth_username and basic_auth_password parameters. Both must be provided together. Example: probely_update_target( targetId, basic_auth_username="credentials://xxx", # or inline: "api-user" basic_auth_password="credentials://yyy" # or inline: "secret123" )

For API authentication with static headers/cookies: Use api_auth_headers and/or api_auth_cookies parameters with full structure including authentication flags. The tool automatically sets api_login_enabled=true and api_login_method='headers_or_cookies'. Example: probely_update_target( targetId, api_auth_headers=[{ "name": "X-API-Key", "value": "credentials://xxx", "value_is_sensitive": false, "allow_testing": false, "authentication": true, "authentication_secondary": false }], api_auth_cookies=[{ "name": "session", "value": "credentials://yyy", "value_is_sensitive": false, "allow_testing": false, "authentication": true, "authentication_secondary": false }] )

Reference saved credentials using URI format 'credentials://<credential_id>' (not {{cred-name}}).

List all login sequences for a target.

Get details of a specific login sequence.

Create a login sequence. Content must be a JSON string of the sequence steps array. Use custom_field_mappings to configure credentials.

IMPORTANT: After creating a login sequence, you MUST call probely_configure_sequence_login(targetId, enabled=True) to enable sequence-based authentication on the target. Creating a sequence does NOT automatically enable it for authentication.

Use credentials management by default: link a credential (created via probely_create_credential) for the password. If the user explicitly declines, inline values are allowed.

• Password credential: [{"name": "[CUSTOM_PASSWORD]", "value": "credentials://<credential_id>", "value_is_sensitive": true, "enabled": true}]

• When multiple targets share the same credential and it already exists and is_sensitive=True, prompt the user to deobfuscate it in order to allow reuse.

For username: [{"name": "[CUSTOM_USERNAME]", "value": "user@example.com", "value_is_sensitive": true, "enabled": true}]

Update a login sequence. Use custom_field_mappings to configure credentials instead of hardcoding them in the sequence content. Use credential URIs for sensitive values by default.

custom_field_mappings should be a JSON array string, e.g.: [{"name": "[CUSTOM_USERNAME]", "value": "user@example.com", "value_is_sensitive": false, "enabled": true}]

Configure form-based login authentication. Only use this as a fallback when Playwright is NOT available. When Playwright IS available, always record a login sequence instead (probely_create_sequence).

To reference saved credentials, use URI format 'credentials://<credential_id>' (e.g., 'credentials://4DY4qGohso1r'). Get credential URIs from probely_list_credentials or probely_create_credential.

Enable or disable sequence-based login. Call this after creating a login sequence.

Configure TOTP-based 2FA for a target. Automatically generates a TOTP code from the secret and configures it as the OTP placeholder for the login sequence.

Call this BEFORE creating/updating the login sequence. The response includes an otp_code field — use this exact code hardcoded in the sequence's fill_value step for the OTP input. Probely will auto-convert that step to fill_otp at scan time.

Disable 2FA/OTP for a target.

Generate a TOTP code from a secret/seed. Use this when recording login sequences that require 2FA. Returns the current TOTP code and its remaining validity in seconds.

List all logout detectors for a target.

Create a logout detector for a target.

Configure logout detection for a target. This helps the scanner detect when it needs to re-authenticate.

The Probely API requires BOTH check_session_url AND at least one logout detector to be defined before logout detection can be enabled. This function handles the proper ordering automatically.

When no detector is specified, the tool automatically extracts a CSS selector from the target's login sequence (typically the username field) and uses it as the logout detector. This is the most reliable approach: if the login form elements appear on the page, the user is logged out.

Bulk update finding states (e.g. fixed, false_positive, accepted_risk). This tool will automatically ask the user for confirmation.

Create a report for a scan. Returns report metadata including the report ID.

Download a report by its ID.

Get report metadata/status by ID.

List scanning agents. Use status to filter: 'connected', 'connected_with_issues', 'disconnected'.

Get details of a specific scanning agent.

Create an API target from a Postman collection. Provide either postman_collection_url or postman_collectionjson.

Set allow_duplicate=True to create a target even if another target with the same URL already exists. This is useful when you want multiple targets for the same URL with different configurations (e.g., different auth methods, different test scenarios).

If target creation fails because the target is unreachable or the domain cannot be resolved, ask the user whether to retry with skip_reachability_check=True.

IMPORTANT: The response contains a top-level id (the target ID) and a nested site.id (the site ID). Always use the top-level id as the targetId parameter for all subsequent tool calls (update_target, start_scan, etc.). Do NOT use the nested site.id field for target operations.

Create an API target from an OpenAPI/Swagger schema. Provide either openapi_schema_url or openapi_schemajson. When the user provides openapi_schema_url, do not fetch the openapi_schemajson from that url.

Set allow_duplicate=True to create a target even if another target with the same URL already exists. This is useful when you want multiple targets for the same URL with different configurations (e.g., different auth methods, different test scenarios).

If target creation fails because the target is unreachable or the domain cannot be resolved, ask the user whether to retry with skip_reachability_check=True.

IMPORTANT: The response contains a top-level id (the target ID) and a nested site.id (the site ID). Always use the top-level id as the targetId parameter for all subsequent tool calls (update_target, start_scan, etc.). Do NOT use the nested site.id field for target operations.