Web Console — Target Types
How to connect API targets in the Web Console — OpenAI-compatible and custom REST endpoints
The Web Console attacks targets that expose an HTTP API — either an OpenAI-compatible chat completions endpoint, or any custom REST endpoint you can describe with a curl command.
If your target is a browser-based chatbot that requires login, use the Adapter instead.
OpenAI-Compatible
Use this for any model API that follows the OpenAI /v1/chat/completions format. This includes OpenAI, Azure OpenAI, Anthropic (via compatibility layer), Google Gemini (via compatibility layer), and most self-hosted LLM servers (vLLM, Ollama, LM Studio, etc.).
Required fields:
| Field | Example | Notes |
|---|---|---|
| Endpoint URL | https://api.openai.com/v1/chat/completions | Must be the full chat completions path |
| API Key | sk-... | Passed as Authorization: Bearer <key> |
| Model | gpt-4o | Sent in the model field of each request |
Optional fields:
| Field | Default | Notes |
|---|---|---|
| System prompt | (none) | Injected as the system role message if set |
| Temperature | 1.0 | Controls response randomness |
| Max tokens | 512 | Per-response token limit |
How Stinger sends the attack:
POST /v1/chat/completions
Authorization: Bearer <api-key>
{
"model": "gpt-4o",
"messages": [
{ "role": "system", "content": "<your system prompt>" },
{ "role": "user", "content": "<attack prompt>" }
]
}
Azure OpenAI
For Azure OpenAI, use the full deployment URL as the endpoint:
https://<resource>.openai.azure.com/openai/deployments/<deployment>/chat/completions?api-version=2024-02-01
Custom REST (curl)
Use this for proprietary API endpoints that don't follow the OpenAI format — internal chat APIs, RAG endpoints, or any custom HTTP service.
How to configure:
Paste a curl command that makes one successful request to your API. Replace the actual user message with {{PROMPT}} — Stinger substitutes this with each attack prompt.
Example:
curl -X POST https://api.yourcompany.com/chat \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"query": "{{PROMPT}}", "session_id": "abc123"}'
Stinger automatically parses:
- The HTTP method and URL
- All headers
- The request body structure
- The location of
{{PROMPT}}in the body
What Stinger extracts from the response:
Stinger looks for the AI's reply in common response structures automatically. If your API has a non-standard response schema, you can specify the JSON path to the reply field (e.g. data.message.content).
Session tokens in curl commands
If your curl command includes a bearer token or session cookie, make sure it belongs to a test account — not a production user account. Tokens are stored in Stinger and used for all attack turns.
Test Connection
Before saving any target, click Test Connection. Stinger sends a benign probe request and checks for a valid response.
| Result | Meaning |
|---|---|
| ✅ Green checkmark | Connection works, response parsed successfully |
| ⚠️ Yellow warning | Connected but response format is unusual — verify manually |
| ❌ Red error | Connection failed — check URL, headers, and API key |
Common connection failures:
- 401 Unauthorized — API key is wrong or expired
- 404 Not Found — Endpoint URL is incorrect
- CORS error — The API rejects requests from non-browser origins (use curl mode instead of browser-based test)
- SSL error — Certificate is self-signed (contact support for internal targets)
Connection config reference
After saving a target, its full connection config is stored encrypted in Stinger. You can view and edit it from the target detail page.
Fields stored:
- Endpoint URL
- API key (encrypted at rest)
- Model name
- System prompt
- Extra headers
- Response parsing config
To rotate an API key, edit the target and update the key field — all future attack turns use the new key immediately.