APIsec for Partner APIs

Partner APIs expand your attack surface and often require distinct security considerations. This scanner evaluates endpoints using read-only methods to map risk across common implementation patterns.

• Authentication coverage for bearer tokens, API keys, basic auth, and cookie-based schemes.
• Transport security checks including HTTPS redirects, HSTS presence, and cookie flags.
• Exposure of internal identifiers and sensitive data patterns such as emails and credit card numbers.
• Server fingerprinting and legacy path patterns that may simplify reconnaissance.
• Webhook and callback surface analysis to reduce unsafe consumption risks.

Findings include remediation guidance aligned to OWASP API Top 10 (2023) to support secure integration practices.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references the specification against runtime responses to highlight inconsistencies.

• Detection of undefined security schemes and deprecated operations.
• Validation of expected parameters, including path and query configurations.
• Identification of missing pagination that can lead to resource exhaustion.
• Checks for sensitive field exposure in schema definitions.

Spec-driven analysis helps surface integration risks before deployment while remaining non-intrusive.

The scanner covers twelve categories aligned to OWASP API Top 10 (2023), focusing on issues prevalent in distributed integrations.

1. Authentication bypass vectors and JWT misconfigurations such as alg=none or expired tokens.
2. BOLA and IDOR through sequential ID enumeration and adjacent ID probing.
3. BFLA and privilege escalation via admin endpoint discovery and role leakage.
4. Property over-exposure, including internal fields and mass-assignment surfaces.
5. Input validation gaps like CORS wildcards with credentials and dangerous HTTP methods.
6. Rate limiting and resource handling indicators, including oversized responses.
7. Data exposure patterns including Luhn-validated cards, SSN-like values, and API key formats.
8. SSRF indicators involving URL-accepting parameters and internal IP probing.
9. Inventory management issues such as missing versioning and legacy paths.
10. Unsafe consumption risks from excessive third-party URLs and webhook surfaces.
11. LLM/AI security probes across tiered scan depths to test system prompt integrity.

Each finding includes contextual details to help teams prioritize fixes.

Authenticated scans are available at the Starter tier and above for endpoints requiring credentials. The process includes a domain verification gate to ensure only domain owners can submit credentials.

• Supported methods include Bearer tokens, API keys, Basic auth, and cookies.
• Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.
• Compliance mappings help you prepare for audits against SOC 2 Type II and PCI-DSS 4.0.
• Read-only operations ensure no destructive payloads are sent during testing.

This approach enables deeper validation while maintaining a controlled testing boundary.

Pro tier subscribers gain continuous monitoring capabilities to track security posture over time. The platform supports multiple integration channels for flexible deployment.

• Scheduled rescans at intervals of six hours, daily, weekly, or monthly.
• Diff detection to surface new findings, resolved items, and score drift.
• Email alerts with rate limiting of one notification per hour per API.
• HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures.
• CI/CD integration via GitHub Action to enforce score thresholds in pipelines.
• MCP Server compatibility for use with AI coding assistants.

Organizations can also manage scans through a web dashboard and export branded compliance documentation.