All Collections
API scanning
User guide
How to scan your API by uploading the API schema
How to scan your API by uploading the API schema

Everything you need to know about uploading an API schema

Naomi Purvis avatar
Written by Naomi Purvis
Updated over a week ago

Before uploading anything, we’d recommend reviewing all the endpoints in the schema in the context of the authorised account you’re giving the scanner access to. (The scanner is going to call every endpoint in the schema, so if the account can modify data through the API (eg. PUT/POST/DELETE), the scanner is going to modify that data).

If testing in production, we'd recommend you take the necessary precautions to remove any sensitive endpoints (and avoid authorising via admin accounts).

If testing in staging, be aware that if it's not a direct copy of production, the coverage may be compromised.

API scanning is available to users with an Application license.
More information on our licensing can be found here.


  1. Head to the Targets page > click '+ Add Targets', then click the top box 'External IP / Domain':

  2. In the first box, please enter the target you wish to scan and hit 'Add Target':

  3. Pop the target into the search bar and click it:

  4. You'll then be taken to the target's detail page, where you have the option to add an API schema, by clicking the APIs tab, followed by the green + Add API Schema button:

  5. From here you'll need to click the top box OpenAPI/Swagger:

  6. 👉 Use the first field to give your schema file a name (so you can identify it in the portal)

    👉 The second section is for uploading your schema file (for now, we're only supporting .json and .yml)

    👉 The third field is where you add the Base URL – this defines the location of the API (or where the API "lives". It's important to note that the Base URL must match the target you're adding the schema to.
    (For example, if the target is api-test-rig.intruder.es you couldn't set example.api-test-rig.intruder.es as the Base URL as that's a different target).

    Then click Next:

  7. At this point you can choose to add authentication (existing or new) or choose to skip. (You can always revisit this at a later stage, if you wish).

    1. If you skip, you'll end up on your target's detail page:

    2. If you choose to add authentication to a new target, you'll want to click Add new authentication:


      And then select one from the following list (there are guides hyperlinked below for your reference):
      - HTTP
      - Header
      - Session-cookie

Did this answer your question?