FAQs: API scanning

Understand the scanners capabilities and constraints

Naomi Purvis avatar
Written by Naomi Purvis
Updated over a week ago

Below you should find answers to our most frequently asked questions. If you don't find what you're looking for, you're always welcome to pop the support team a message using the chatbot to the bottom right of your screen.

Uploading the schema file

What type of APIs do you support?

For now, we only support REST APIs, specifically Swagger and OpenAPI. (Though we are tracking interest in GraphQL and WSDL, if you want to register your interest). If you accidentally upload an unsupported file type (but it's still a .json, .yaml or .yml and is under 1MB in size) you'll see this error message:

Unsupported file type

What file type do you support?

OpenAPI and Swagger schemas are defined using JSON or YAML files - we do not support other types of file, unfortunately.

What if I use Postman collection?

You'll need to convert it into an OpenAPI schema using a tool of your choice.

Is there a maximum file size?

Yes, we support files up to 2MB. If your file is larger than this, you'll be presented with the following error message:

Has to be under 1MB

What should I do if my API changes?

Unfortunately we have no way of knowing when a change is made to an API, and so when this does happen, you'll need to upload the newest version of the API schema manually, following the steps in this article.

How many APIs can I scan per schema file?

We only support a single API per schema - which you define via the Base URL. If you need to scan multiple APIs, then you can upload the same schema to multiple targets in Intruder (always ensuring that the Base URL corresponds with the target added).

Understanding the Base URL

The Base URL helps the scanner understand where to start the scan and what endpoints/queries to include.

To clarify:

  • The Base URL includes the domain + base path

  • The schema file will include a list of endpoints

For example:



Base URL









If the Base URL isn't consistent with the target, you'll see this error message:

Scanning the API schema endpoints

What scanning engine does Intruder use for API scanning?

We use ZAP as the underlying scanning engine for API scanning.

Which endpoints will be scanned?

We will scan ALL endpoints defined within the schema - this includes PUT, DELETE, POST, PATCH endpoints which can impact the data stored behind the API. We advise you to ONLY scan data-changing endpoints in test environments and not in Production.

Can I exclude endpoints from being scanned?

If you want to exclude endpoints from testing, you'll need to remove them from the API schema before upload. (It's not possible to exclude endpoints from within the Intruder portal.

Can I review the endpoints that will be scanned?

No, we don't list the endpoints prior to scanning, though they will appear under the Scanned URLs tab on the scan's detail page once the scan has completed and the results have been published:

How does the scanner handle parameter values?

When the scanner finds a parameter in an OpenAPI schema it will try fill in appropriate sample values for that parameter when making requests in scans.

If limitations on the value are defined (eg. minimum and maximum lengths), ZAP may fail to fill an appropriate value, and instead opt to use a blank value. You can fix this by adding example values to your OpenAPI schemas.

What if I don't have example values for parameters in the API schema?

The scanner may scan the wrong path if example values are missing.

For example, the following path has a username parameter in it:


To get the info of the user johndoe, you would request:


If the schema defines limitations on this parameter and ZAP can't fill in a value, it will use a blank value of the username parameter and request


Most web servers treat this the same as


which is a completely different (likely non-existent) path.

Can I run only the API Scan (and not the vulnerability scan beforehand)?

We don't yet have a way of just running the API Scan on its own. However, if you head to the Advanced Settings for your scan, you can select the option to limit the scan to Ports 80 and 443 which will significantly reduce the vulnerability scan duration.

Adding authentication for API scanning

What authentication type does API scanning support?

When adding authentication for API scanning, you can choose from one of the following:

Please note, you cannot use form-based authentication for API scanning.

Are there specific authentication flows you do not support?

At present, we only support authentication flows where API keys are sent within the headers, so sending the authentication parameters as part of the URL request is a method that we do not support e.g. https://api.example.com/?UserID={value}&PasswordKey={value} would not be supported.

My app uses form-based auth, what should I add for my API?

Since we don't support form-based authentication when scanning APIs, you'll need to add a second authentication type from the list above (which you can then assign to the API schema as outlined in this article).

Are there any limitations with authenticated API scanning?

Yes, all the same limitations outlined in this article will apply when running authenticated scans of API schemas.

API scanning + Single Page Applications

For complex Single Page Applications (where spidering might not work), we recommend uploading the API schema and scanning that way.

API scanning is available to any user with an Application License.

Did this answer your question?