diff --git a/.github/workflows/zaproxy.yml b/.github/workflows/zaproxy.yml
index a8796082..4e891a8d 100644
--- a/.github/workflows/zaproxy.yml
+++ b/.github/workflows/zaproxy.yml
@@ -16,30 +16,31 @@ jobs:
         python3 wis2box-ctl.py status -a
         sleep 30
         python3 wis2box-ctl.py status -a
-    - name: populate stations from CSV 📡
-      run: |
-        python3 wis2box-ctl.py execute wis2box metadata station publish-collection
     - name: add Malawi synop data to the system 🇲🇼
       env:
-        TOPIC_HIERARCHY: mw-mw_met_centre.data.core.weather.surface-based-observations.synop
+        TEST_DATA: /data/wis2box/observations/malawi
+        STATION_METADATA: /data/wis2box/metadata/station/malawi.csv
         CHANNEL: origin/a/wis2/mw-mw_met_centre/data/core/weather/surface-based-observations/synop
         TERRITORY: MWI
         DISCOVERY_METADATA: /data/wis2box/metadata/discovery/mw-surface-weather-observations.yml
         DISCOVERY_METADATA_ID: urn:wmo:md:mw-mw_met_centre:surface-weather-observations
       run: |
         python3 wis2box-ctl.py execute wis2box dataset publish $DISCOVERY_METADATA
-        python3 wis2box-ctl.py execute wis2box metadata station add-topic --territory-name $TERRITORY  $CHANNEL
+        sleep 5
+        python3 wis2box-ctl.py execute wis2box metadata station publish-collection --path $STATION_METADATA --topic-hierarchy $CHANNEL
+        sleep 5
         python3 wis2box-ctl.py execute wis2box data ingest -mdi $DISCOVERY_METADATA_ID -p $TEST_DATA
         sleep 10
     - name: ZAP baseline Scan on UI 🕵️‍♂️
-      uses: zaproxy/action-baseline@v0.12.0
+      uses: zaproxy/action-baseline@v0.14.0
       with:
         target: 'http://localhost'
         rules_file_name: '.zap/rules.tsv'
         allow_issue_writing: 'false'
         fail_action: 'true'
+        artifact_name: 'zap-ui'
     - name: ZAP baseline Scan on wis2box-webapp 🕵️‍♂️
-      uses: zaproxy/action-baseline@v0.12.0
+      uses: zaproxy/action-baseline@v0.14.0
       env:
         ZAP_AUTH_HEADER_VALUE: "Basic d2lzMmJveC11c2VyOndpczJib3h0ZXN0MTIz"
         ZAP_AUTH_HEADER: "Authorization"
@@ -48,3 +49,4 @@ jobs:
         rules_file_name: '.zap/rules.tsv'
         allow_issue_writing: 'false'
         fail_action: 'true'
+        artifact_name: 'zap-webapp'
diff --git a/wis2box-management/wis2box/auth.py b/wis2box-management/wis2box/auth.py
index e6f51ffd..37fdf99b 100644
--- a/wis2box-management/wis2box/auth.py
+++ b/wis2box-management/wis2box/auth.py
@@ -34,6 +34,12 @@
 
 LOGGER = logging.getLogger(__name__)
 
+VALID_PATHS = [
+    'collections/stations',
+    'processes/wis2box',
+    'wis2downloader'
+]
+
 
 def create_token(path: str, token: str) -> bool:
     """
@@ -160,7 +166,11 @@ def add_token(ctx, metadata_id, path, yes, token):
             raise click.ClickException(f'Metadata identifier {metadata_id} not found in data mappings') # noqa
         path = metadata_id
     elif path is not None:
-        path = path
+        if path not in VALID_PATHS:
+            msg = f'Not a valid path, valid paths are {VALID_PATHS}'
+            raise click.ClickException(msg)
+        else:
+            path = path
     else:
         raise click.ClickException('Missing path or metadata_id')