Skip to Content
API Security TestingGetting Started

Getting Started

This guide walks you through running your first scan with API Scanning. The entire process takes about 10 minutes.

Prerequisites

Before you begin, you need:

  • A Detectify account with API Scanning enabled
  • An OpenAPI specification for your API in .json, .yaml, or .yml format (OpenAPI v2, v3, or v3.1)
  • Authentication credentials for your API (if applicable)
  • Permission to scan the target API

Step 1: Prepare Your OpenAPI Spec

Ensure your spec is ready to upload. See OpenAPI Specs for supported formats, requirements, and best practices.

If you do not have an OpenAPI spec, many API frameworks can generate one automatically (for example, FastAPI, Spring Boot with Springdoc, or Express with swagger-jsdoc).

Step 2: Upload Your Spec

  1. Navigate to API Scanning in the Detectify dashboard.
  2. Click Create Scan Profile.
  3. Upload your spec file.
  4. Detectify parses and validates the spec. If there are parsing errors, you will see a summary of issues to address.

Step 3: Configure Authentication

If your API requires authentication, configure it so the scanner can access protected endpoints. Detectify supports OAuth 2.0, Basic Auth, and API key authentication. See Configuration for setup details.

Without valid authentication, the scanner can only test unauthenticated endpoints and will miss vulnerabilities in protected areas of your API.

Step 4: Run Your First Scan

  1. Review the scan configuration summary, which shows the number of endpoints detected and the authentication method configured.
  2. Click Start Scan.
  3. The scan begins sending payloads to your API endpoints. See Configuration for factors that affect scan duration.

You can monitor scan progress in the dashboard. Findings appear in real time as vulnerabilities are confirmed.

Step 5: Review Results

Once the scan completes, navigate to the Results tab to review findings. For each vulnerability, Detectify provides:

  • The affected endpoint and parameter
  • Severity level (Critical, High, Medium, or Low)
  • A description of the vulnerability
  • The exact request and response that confirmed the issue
  • Remediation guidance

See Results for a detailed guide on interpreting your findings.

Next Steps

Last updated on
How It WorksOpenAPI Specs