What is API Discovery? Definition, Tools, Security
API discovery is the process of finding, cataloging, and continuously monitoring all APIs across your environment, including shadow + zombie APIs.
What is API discovery?
API discovery is the practice of finding, cataloging, and continuously inventorying all APIs running across your environment, known APIs, shadow APIs (built without security/IT awareness), zombie APIs (deprecated but still live), and third-party APIs being consumed. The goal: a complete, current inventory so you can secure, govern, monitor, and optimize what you have.
API discovery has become critical because the number of APIs has exploded. Postman's 2024 survey found organizations average 600+ APIs, with the top quartile exceeding 1,500. Most organizations have less than half of these documented.
Why API discovery matters
- Security. You can't protect what you don't know about. Shadow APIs are top breach vector.
- Compliance. GDPR/HIPAA require knowing what data is exposed where.
- Cost. Unused/zombie APIs still cost compute, storage, third-party fees.
- Documentation. Discovery surfaces undocumented APIs for catalog inclusion.
- Performance. Find degraded APIs before users do.
- M&A integration. Acquired company has X APIs, what are they?
Types of APIs to discover
| Type | Description | Risk |
|---|---|---|
| Documented APIs | Officially in catalog/portal | Lowest |
| Shadow APIs | Built outside official process | High (no security review) |
| Zombie APIs | Deprecated but still live | High (unmaintained, unpatched) |
| Third-party APIs | External APIs your code calls | Medium (data leak risk) |
| Internal-only APIs | Service-to-service | Often undocumented |
| Mobile/legacy APIs | Older versions still in use | High |
API discovery methods
Traffic analysis
Inspect network flows (DPI, NDR, mirror ports) to identify HTTP/HTTPS endpoints actually being called.
API gateway/proxy logs
If all traffic flows through a gateway, logs reveal every endpoint hit.
Code repository scanning
Static analysis of code finds endpoint definitions (Express routes, Spring annotations, FastAPI decorators).
Cloud / Kubernetes inventory
Cloud APIs list resources (Lambda functions, App Gateway routes, K8s Services with annotations).
OpenAPI / spec aggregation
Pull OpenAPI/Swagger from each service; aggregate into central catalog.
Browser/client telemetry
Frontend RUM logs every API call; surface aggregated endpoint list.
API discovery tools
| Tool | Approach | Best for |
|---|---|---|
| Salt Security | Traffic analysis + ML | Enterprise security |
| Noname Security | Traffic + posture management | Enterprise security |
| Wallarm | Inline inspection + discovery | API security platforms |
| 42Crunch | OpenAPI-first audit | API security testing |
| Postman | Catalog + manual import | Dev workflow |
| SwaggerHub / Stoplight | Spec-driven catalog | API governance |
| Kong API Gateway | Gateway-level inventory | Apps already on Kong |
| Datadog API Catalog | Telemetry-driven | Datadog customers |
API discovery best practices
- Continuous, not point-in-time. Inventory drifts within days; discovery should be ongoing.
- Combine methods. Traffic + repo scan + gateway logs catch different APIs.
- Tag by risk. Internet-facing > internal; PII-handling > read-only.
- Auto-import to catalog. New APIs appear in inventory without manual work.
- Detect changes. Alert on new endpoints, schema changes, auth changes.
- Cross-reference with security. Newly discovered API → automatic security scan.
- Define ownership. Every API needs an owning team.
- Sunset zombies. Discovery finds them; process kills them.
Common API discovery pitfalls
- One-time discovery. Inventory immediately stale. Make it continuous.
- Single-method discovery. Traffic-only misses unused-but-deployed; repo-scan misses runtime-injected.
- No follow-through. Discovered shadow APIs sit on a list with no remediation.
- Ignoring third-party. Discovery often focuses on yours; misses outbound calls to external APIs.
- Missing internal/east-west traffic. Service-mesh internal calls get overlooked.
- No data classification. 1000 APIs in inventory but no idea which handle PII.
FAQ: API discovery
Why isn't documenting APIs enough?
Documentation drifts; people skip steps; shadow APIs never get documented. Discovery is the safety net.
What's a shadow API?
An API built and deployed without going through your official process, unknown to security/IT. Discovery finds them.
What's a zombie API?
An API officially deprecated but still receiving traffic. Often an old version that clients haven't migrated from.
How is API discovery different from API catalog?
Discovery = finding what exists. Catalog = a curated list. Discovery feeds the catalog.
Can a CDN discover APIs?
If all API traffic goes through the CDN, yes. Cloudflare API Shield and AWS API Gateway both surface inventory from observed traffic.
Is API discovery a security tool?
Often. Many discovery tools (Salt, Noname, Wallarm) bundle discovery with API security testing + runtime protection.
How often should I run discovery?
Continuously if possible. Otherwise daily/weekly. Manual quarterly = guaranteed gaps.
Test discovered APIs at scale with LoadFocus
Once you've discovered your APIs, validate they perform under load. LoadFocus runs JMeter and k6 scripts from 25+ regions against any API. Sign up free at loadfocus.com/signup.
Related LoadFocus Tools
Put this concept into practice with LoadFocus, the same platform that powers everything you just read about.