Getting Started
This guide walks you through running your first API security scan with Detectify. The entire process takes about 10 minutes.
Prerequisites
Before you begin, you need:
- A Detectify account with API Security Testing enabled
- An OpenAPI specification for your API in
.jsonformat (OpenAPI v2, v3, or v3.1) - Authentication credentials for your API (if applicable)
- Permission to scan the target API
Step 1: Prepare Your OpenAPI Spec
Your OpenAPI specification serves as the blueprint for the scan. Detectify uses it to discover all endpoints, parameters, and request schemas.
Ensure your spec meets these requirements:
- Format:
.jsononly. YAML files must be converted to JSON before uploading. - Version: OpenAPI v2 (Swagger), v3.0, or v3.1
- Completeness: Include all endpoints you want tested. Endpoints not in the spec will not be scanned.
- Accuracy: Ensure parameter types, request bodies, and response schemas reflect the actual API behavior.
If you do not have an OpenAPI spec, many API frameworks can generate one automatically (for example, FastAPI, Spring Boot with Springdoc, or Express with swagger-jsdoc).
Step 2: Upload Your Spec
- Navigate to API Security Testing in the Detectify dashboard.
- Click Create Scan Profile.
- Upload your
.jsonspec file. - Detectify parses and validates the spec. If there are parsing errors, you will see a summary of issues to address.
Step 3: Configure Authentication
If your API requires authentication, configure it so the scanner can access protected endpoints.
Detectify supports the following authentication methods:
| Method | Configuration |
|---|---|
| API Key | Provide the header name and key value (for example, X-API-Key: your-key) |
| Basic Auth | Provide the username and password |
| OAuth 2.0 | Provide the token endpoint, client ID, client secret, and scopes |
Without valid authentication, the scanner can only test unauthenticated endpoints and will miss vulnerabilities in protected areas of your API.
Step 4: Run Your First Scan
- Review the scan configuration summary, which shows the number of endpoints detected and the authentication method configured.
- Click Start Scan.
- The scan begins sending payloads to your API endpoints. Depending on the number of endpoints and rate limiting settings, scans typically take between 5 and 30 minutes.
You can monitor scan progress in the dashboard. Findings appear in real time as vulnerabilities are confirmed.
Step 5: Review Results
Once the scan completes, navigate to the Results tab to review findings. For each vulnerability, Detectify provides:
- The affected endpoint and parameter
- Severity level (Critical, High, Medium, or Low)
- A description of the vulnerability
- The exact request and response that confirmed the issue
- Remediation guidance
See Results for a detailed guide on interpreting your findings.
Next Steps
- Configure scheduling to run scans automatically
- Review coverage to understand what vulnerability types are tested
- Set up integrations to route findings to Jira, Slack, or your CI/CD pipeline