How to Screenshot Pages with Cookies, Headers, and SSO | ScreenshotCenter

Learn how to capture authenticated web pages behind login walls, SSO providers, and cookie-gated content using the ScreenshotCenter API with custom headers, cookies, and automation steps.

Julien Sobrier Founder & CEO March 27, 2026

The problem: pages behind authentication

Many high-value pages sit behind login walls — dashboards, admin panels, client portals, and SaaS tools that require session cookies or SSO tokens. Standard screenshot tools see nothing but a login form.

ScreenshotCenter solves this by letting you pass custom cookies, HTTP headers, and automation steps with every capture request. The browser executes your instructions before taking the screenshot, so you get exactly what an authenticated user sees.

Method 1: Pass cookies directly

If you already have a valid session cookie, include it in the cookie parameter:

curl -X POST https://api.screenshotcenter.com/v1/screenshot \
  -H "X-API-KEY: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://app.example.com/dashboard",
    "cookie": "session_id=abc123; _auth_token=xyz789",
    "size": "page",
    "format": "png"
  }'

This is the fastest method when your application uses simple cookie-based sessions. Grab the cookie from your browser's DevTools and pass it along. Learn more about custom headers and request options.

Method 2: Custom HTTP headers

APIs and SPAs often use Authorization: Bearer <token> headers instead of cookies. Use the headers parameter to inject any header the target page expects:

curl -X POST https://api.screenshotcenter.com/v1/screenshot \
  -H "X-API-KEY: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://api.example.com/report",
    "headers": {
      "Authorization": "Bearer eyJhbGciOiJIUzI...",
      "X-Custom-Tenant": "acme-corp"
    },
    "format": "pdf"
  }'

Combine headers with cookies when the application requires both — ScreenshotCenter sends them all in the initial request.

Method 3: Automation steps for SSO and login flows

For SSO-protected pages (Okta, Azure AD, Google Workspace), you cannot always extract a simple cookie. Instead, use automation steps to walk the browser through the login flow:

Navigate to the login page
Type the username and password into the form fields
Click the submit button
Wait for the redirect to complete
Capture the authenticated page

Automation steps execute in a real Chromium browser, so JavaScript-heavy login forms, CAPTCHA pre-fills, and multi-step SSO redirects all work as expected.

SSO caveats

MFA/2FA: If the provider enforces multi-factor authentication on every login, automated flows will be blocked. Use an API token or a service account that bypasses MFA for machine access.
IP allowlists: Some SSO providers restrict login to known IPs. ScreenshotCenter browsers run from 80+ countries — pick one that matches your allowlist or use on-premise browsers.
Session expiry: Rotate cookies before they expire. For long-running monitors, automate the login step at the start of each batch.

Step-by-step: capturing a dashboard behind Okta SSO

Create a service account in your SSO provider with limited, read-only access.
Disable MFA for that account (or use a TOTP secret you can compute).
Build an automation script that types the credentials, clicks "Sign in", and waits for the app to load.
Set delay to 3000–5000 ms to account for SSO redirect latency.
Submit the screenshot request with the automation steps. The browser handles the full redirect chain.

Troubleshooting

Symptom	Cause	Fix
Screenshot shows login page	Cookie expired or wrong domain	Refresh the cookie; set `cookie_domain` if needed
Blank page after login	SPA hasn't rendered yet	Increase `delay` or add a `wait_for` selector
403 / Access Denied	IP not in allowlist	Switch country or use on-premise browser
Redirect loop	SSO requires MFA prompt	Use a service account without MFA

FAQ

Can I screenshot pages behind Google SSO?

Yes — either pass the session cookie after a manual login, or use automation steps to walk through the Google sign-in form. Disable MFA on the service account for reliability.

Do cookies persist across multiple screenshot requests?

No. Each request uses a fresh browser context. Pass the cookie on every call to ensure consistent authentication.

Is my cookie or token stored by ScreenshotCenter?

No. Cookies, headers, and automation steps are used only for the lifetime of the screenshot job and are never persisted.

Ready to capture authenticated pages? Try the authenticated screenshot workflow and see results in seconds.