What is API Discovery? Definition, Tools, Security
API discovery is the process of finding, cataloging, and continuously monitoring all APIs across your environment — including shadow + zombie APIs.
What is API discovery?
API discovery is the practice of finding, cataloging, and continuously inventorying all APIs running across your environment — known APIs, shadow APIs (built without security/IT awareness), zombie APIs (deprecated but still live), and third-party APIs being consumed. The goal: a complete, current inventory so you can secure, govern, monitor, and optimize what you have.
API discovery has become critical because the number of APIs has exploded — Postman's 2024 survey found organizations average 600+ APIs, with the top quartile exceeding 1,500. Most organizations have less than half of these documented.
Why API discovery matters
- Security. You can't protect what you don't know about. Shadow APIs are top breach vector.
- Compliance. GDPR/HIPAA require knowing what data is exposed where.
- Cost. Unused/zombie APIs still cost compute, storage, third-party fees.
- Documentation. Discovery surfaces undocumented APIs for catalog inclusion.
- Performance. Find degraded APIs before users do.
- M&A integration. Acquired company has X APIs — what are they?
Types of APIs to discover
| Type | Description | Risk |
|---|---|---|
| Documented APIs | Officially in catalog/portal | Lowest |
| Shadow APIs | Built outside official process | High (no security review) |
| Zombie APIs | Deprecated but still live | High (unmaintained, unpatched) |
| Third-party APIs | External APIs your code calls | Medium (data leak risk) |
| Internal-only APIs | Service-to-service | Often undocumented |
| Mobile/legacy APIs | Older versions still in use | High |
API discovery methods
Traffic analysis
Inspect network flows (DPI, NDR, mirror ports) to identify HTTP/HTTPS endpoints actually being called.
API gateway/proxy logs
If all traffic flows through a gateway, logs reveal every endpoint hit.
Code repository scanning
Static analysis of code finds endpoint definitions (Express routes, Spring annotations, FastAPI decorators).
Cloud / Kubernetes inventory
Cloud APIs list resources (Lambda functions, App Gateway routes, K8s Services with annotations).
OpenAPI / spec aggregation
Pull OpenAPI/Swagger from each service; aggregate into central catalog.
Browser/client telemetry
Frontend RUM logs every API call; surface aggregated endpoint list.
API discovery tools
| Tool | Approach | Best for |
|---|---|---|
| Salt Security | Traffic analysis + ML | Enterprise security |
| Noname Security | Traffic + posture management | Enterprise security |
| Wallarm | Inline inspection + discovery | API security platforms |
| 42Crunch | OpenAPI-first audit | API security testing |
| Postman | Catalog + manual import | Dev workflow |
| SwaggerHub / Stoplight | Spec-driven catalog | API governance |
| Kong API Gateway | Gateway-level inventory | Apps already on Kong |
| Datadog API Catalog | Telemetry-driven | Datadog customers |
API discovery best practices
- Continuous, not point-in-time. Inventory drifts within days; discovery should be ongoing.
- Combine methods. Traffic + repo scan + gateway logs catch different APIs.
- Tag by risk. Internet-facing > internal; PII-handling > read-only.
- Auto-import to catalog. New APIs appear in inventory without manual work.
- Detect changes. Alert on new endpoints, schema changes, auth changes.
- Cross-reference with security. Newly discovered API → automatic security scan.
- Define ownership. Every API needs an owning team.
- Sunset zombies. Discovery finds them; process kills them.
Common API discovery pitfalls
- One-time discovery. Inventory immediately stale. Make it continuous.
- Single-method discovery. Traffic-only misses unused-but-deployed; repo-scan misses runtime-injected.
- No follow-through. Discovered shadow APIs sit on a list with no remediation.
- Ignoring third-party. Discovery often focuses on yours; misses outbound calls to external APIs.
- Missing internal/east-west traffic. Service-mesh internal calls get overlooked.
- No data classification. 1000 APIs in inventory but no idea which handle PII.
FAQ: API discovery
Why isn't documenting APIs enough?
Documentation drifts; people skip steps; shadow APIs never get documented. Discovery is the safety net.
What's a shadow API?
An API built and deployed without going through your official process — unknown to security/IT. Discovery finds them.
What's a zombie API?
An API officially deprecated but still receiving traffic. Often an old version that clients haven't migrated from.
How is API discovery different from API catalog?
Discovery = finding what exists. Catalog = a curated list. Discovery feeds the catalog.
Can a CDN discover APIs?
If all API traffic goes through the CDN, yes — Cloudflare API Shield and AWS API Gateway both surface inventory from observed traffic.
Is API discovery a security tool?
Often. Many discovery tools (Salt, Noname, Wallarm) bundle discovery with API security testing + runtime protection.
How often should I run discovery?
Continuously if possible. Otherwise daily/weekly. Manual quarterly = guaranteed gaps.
Test discovered APIs at scale with LoadFocus
Once you've discovered your APIs, validate they perform under load. LoadFocus runs JMeter and k6 scripts from 25+ regions against any API. Sign up free at loadfocus.com/signup.
Related LoadFocus Tools
Put this concept into practice with LoadFocus — the same platform that powers everything you just read about.