All Collections
API scanning
User guide
How to scan your API by uploading the API schema
How to scan your API by uploading the API schema
Everything you need to know about uploading an API schema
Updated over a week ago

Step 1

  1. Head to the Targets page > click '+ Add Targets', then click the top box 'External IP / Domain':

Step 2

In the first box, please enter the target you wish to scan and hit 'Add Target':

Step 3

When you see it pop up on your targets list, click it:

Step 4

You'll then be taken to the target's detail page, where you have the option to add an API schema, by clicking the APIs tab, followed by the green + Add API Schema button:

Step 5

From here you'll need to click the top box OpenAPI/Swagger:

Step 6

πŸ‘‰ Use the first field to give your schema file a name (so you can identify it in the portal)

πŸ‘‰ The second section is for uploading your schema file (for now, we're only supporting .json and .yml)

πŸ‘‰ The third field is where you add the Base URL – this defines the location of the API (or where the API "lives". It's important to note that the Base URL must match the target you're adding the schema to.
(For example, if the target is you couldn't set as the Base URL as that's a different target).

Step 7

Once that's all done your target's detail page will look like this:

At this point, you have two options:

  1. You can kick off an unauthenticated scan of the API schema and the target's infrastructure using the green Scan now button.

  2. You can add authentication, so we can scan the APIs authenticated endpoints (for more comprehensive coverage).

Adding authentication to an API schema

If you choose to add an authentication, you'll need to

  1. On the target's detail page, click + Add authentication:

2. Either select an existing authentication (if you've already added one for the web-app), or add a new one, by clicking the second button.

3. Once here, click the applicable authentication method and follow the prompts.

(🚨 Form-based authentication cannot be used for authenticated API scanning.)

Detailed guides for each of the authentication methods mentioned above can be found in this section of the Help Centre.

API scanning is available to users with an Application license. More information on our licensing can be found here.

Did this answer your question?