API discovery is the process of identifying and cataloging all the APIs an organization uses—both internal and third party—and documenting API functions, endpoints, data structures and other relevant information.

API discovery creates an inventory of the application programming interfaces (APIs) in use, what they do, who has access permissions and much more. It can also help discover any hidden or forgotten APIs—important for mitigating security risks.

APIs are a vital part of modern software development and provide a two-way exchange: they enable developers and applications to request data, add services and capitalize on capabilities from other applications, while also giving application owners a way to share, publicize and market their products. With this essential functionality comes added complexity and vulnerabilities.

API management is crucial to securing these vulnerabilities and making sure that an API ecosystem operates as intended. It’s important to know exactly how many, what type and how popular APIs are, for the sake of API security, authentication, efficiency, protection of sensitive data and maintaining an overall vision of how a given application is being used. But how does an application owner discover all this information? That’s where API discovery comes in.

APIs or application programming interfaces are sets of rules and protocols that enable applications and services to communicate with each other. They are essentially the middlemen that enable applications to pull data in real-time from all sorts of different sources. APIs provide the weather data in weather apps, accelerated checkouts on shopping apps and maps on a restaurant’s website among many other use cases. In the enterprise, APIs are used to integrate workflows and platforms, connect microservices, facilitate asset sharing, make applications available to third-party users and much more.

Given the sheer number of applications modern enterprises use, averaging over a thousand according to a Salesforce survey, it’s important for organizations to have a strong API discovery practice. API discovery refers to the process of finding both documented and hidden APIs, creating directories and compiling an inventory of discovered APIs. There are many reasons why API discovery is so important, both because of the benefits it can deliver and the possible impacts on application security that neglecting this process can have. API discovery is a vital part of assembling thorough and complete API documentation.

Redundancy—the creation of multiple instances of the same or similar features that clutter up documentation—can severely impact development processes by reducing efficiency and productivity. In short, creating a new API that isn’t actually new can waste time and resources. Proper API discovery and API documentation can reduce the chance of API redundancy. If it’s easy to find documentation for a wheel, there’s no need to reinvent it.

By using API discovery tools to discover APIs and produce solid API documentation, developers can better understand which existing applications and services (both internal and external) they can access and integrate. By using preexisting services and functions, developers can accelerate production, expand application capabilities and reduce time to market.

API discovery enables the creation of an API inventory that helps developers both locate and use existing services. This has the added benefit of encouraging developers to integrate an application’s data and services by providing a menu of options.

API discovery and the consistent maintenance of an API catalog, enables teams to quickly and easily find APIs that exist. This can improve efficiency, reduce unnecessary work and even improve workflow by alerting developers to capabilities they may not have realized.

Maintaining an up-to-date API catalog is a great way to monitor who has access to sensitive data such as user information and API keys. By using API discovery to find all APIs that access sensitive data, an application owner can more easily monitor who has access to what and make sure that APIs and applications adhere to all applicable laws and guidelines. This is especially vital given the prevalence of shadow APIs.

API discovery involves the uncovering of many different details about APIs—the type of APIs, what they do, what data they have access to and much more—that help developers identify and better understand the APIs an organization uses. API discovery produces information about APIs, including:

Protocol, architecture and supported data formats: The discovery process helps document what protocol or architecture APIs use (such as REST, GraphQL, SOAP or RPC) and what data formats they accept (such as JSON, XML and YAML.)

API endpoints: These are the location of a particular store of data or  service, usually represented as a URL.

Authentication: APIs are often secured so that only recognized clients, projects and users can access them. API discovery helps uncover authentication specifications.

Methods and parameters: API discovery uncovers supported actions such as GET, PUT, DELETE and POST and the parameters the API accepts.

API discovery can play a major role in strengthening API security. Proper API documentation and API management gives application owners a comprehensive view of API usage, which can make it easier to discover security vulnerabilities. In turn, an application owner or developer can then fix any potential issues.

One of the most important ways API discovery contributes to API security is by locating hidden APIs.

The term “hidden” is not exactly accurate, inasmuch as a hidden API is not necessarily malevolent. Instead, “hidden API” refers to APIs that are undocumented and not included in the API documentation. There are plenty of hidden APIs that are perfectly innocuous, such as infinite scrolling features or many autocomplete features in web application text fields.

That said, even innocuous hidden APIs can provide potential headaches for security teams. Hidden APIs, being excluded from security solutions, won’t be subject to an application owner’s usual slate of regulatory and security measures such as firewalls. There are many different types of hidden APIs, ranging from merely forgotten to actively harmful, which is why the API discovery process is so important.

While not necessarily malicious, shadow APIs are defined as APIs that are neither managed nor secured by the entity using them. Without API visibility, these exist outside the scope of security of an enterprise and they’re vulnerable to attack.

A 2022 report found that about 31% of malicious transactions targeted shadow APIs, making them a notable security risk. API attacks aimed at shadow APIs have the potential to put sensitive data such as user information or proprietary knowledge at risk, making cybersecurity a huge reason to use good API discovery techniques. Security teams are also not able to provide security patches to APIs they don’t know about, meaning that shadow APIs can have vulnerabilities unknown to all but clever hackers. These can expand the attack surface, or avenues available to bad actors.

Shadow APIs arise from all sorts of errors, mistakes and sloppiness in security policy. Some developers might simply forget, or not care enough, to use proper API documentation. Sometimes older APIs are removed from documentation although they still exist. Company mergers are also notorious for producing lots of shadow APIs. Sometimes developers create shadow APIs for testing purposes, or for very small bespoke use cases and don’t bother to alert security teams to their presence.

One slightly different type of hidden API is the zombie API, which is an API that has been forgotten but not erased. Zombie APIs might have been properly secured and maintained at some point, but have since been left to languish, perhaps unknown even to the application owner who created it. Zombie APIs are typically not updated or patched, but still provide a somewhat hidden door to some part of the application’s system.

The terminology for rogue APIs can vary from organization to organization; some use “shadow API” and “rogue API” interchangeably, while others use “rogue API” to refer to APIs that are deliberately malicious.

Successful API discovery practices are consistent, well-documented and standardized. Following these principles can help developers—internal and external, today and in the future—make efficient and secure use of APIs.

Standardization: The use of standard specifications and protocols such as OpenAPI Specification (OAS), REST and GraphQL can improve API discovery and API compatibility and help consumers gain a quick understanding of the APIs.

Documentation: APIs with strong, standardized documentation are more easily discoverable, which can pay dividends in integration, collaboration and management. The better the documentation, the more APIs can be used and improved.

Consistency: Regularly performing API discovery is important, as APIs are continually added, updated and retired; this is not a one-time task. Automated systems can make this easier, but regular manual discovery is also effective.

There are many different API discovery tools, ranging from manual API discovery tools to tools that rely on full automation. There are strengths and weaknesses to each.

Many developers have engaged in some form of manual API discovery. This can involve poring through source codes or monitoring real-time API traffic in search of anomalies. These manual methods can, if a security team knows exactly what it’s looking for, be quicker and more direct than automated methods. But in general, manual API discovery is slower, less efficient, inclined to miss more subtle hidden APIs and might require more advanced know-how.

There are many specialized, automated API discovery tools. An API gateway, for example, is a centralized “middleman” that receives and directs API calls. Gateways help catalog and monitor APIs and typically do a lot of the API discovery lift as part of their job.

There are other specialized API protection services that provide automatic API discovery. When looking for a such a service, it’s common to seek a provider that offers a robust security posture, compliance with well-known standards (such as the OpenAPI specification, preventing falling victim to the OWASP top 10 API security risks) and easy integration with an organization’s platform.

Automation can make improving an API’s lifecycle much more efficient and make sure that only secure APIs have access to software applications and associated resources.