Skip to main content
availability

Package: Invicti AppSec Core (on-demand)

API discovery sources overview

Your APIs are scattered across multiple systems - managed platforms, internal microservices, and live network traffic. Setting up API sources in Invicti AppSec Core lets you discover and import specifications from all of these automatically, so your API catalog stays current without manual effort.

This document provides links to setup instructions for each available API source and explains how to sync, edit, and delete sources, and what the different source statuses mean.

Why this matters

Without configured API sources, your API catalog only reflects what you add manually. Each source you set up extends your discovery coverage - so fewer APIs go unscanned and unknown.

Set up API source integrations

The Discovery > API sources page is where you can enable Zero Configuration and Sensorless API discovery, set up the Invicti Network Traffic Analyzer (NTA) in your environment, and add API management integrations. The NTA and each API management integration require some initial configuration before they can start synchronizing your OpenAPI3 and Swagger2 specs.

The following sources are available for discovering or importing API specs to your API catalog. Refer to the specific documentation linked below for setup instructions.

Zero configuration discovery

Sensorless API discovery

Invicti network traffic analyzer (NTA)

Amazon API Gateway

Apigee API Hub

Azure API Management

Kong Konnect

Kong API Gateway

NTA with NGINX

NTA with F5 BIG-IP iRule

MuleSoft Anypoint Exchange

Manual upload

tip

API discovery and the API catalog are complementary views. API discovery shows APIs added and awaiting target assignment, while the API catalog shows APIs already linked to targets and ready for scanning.

Sync, edit, and delete API sources

After setting up an API source and running the initial synchronization, your retrieved API specs load into your API catalog and sync automatically every 24 hours. To turn off automatic synchronization, go to Discovery > API sources and click the Auto sync toggle next to the relevant API source.

To run a manual sync, edit, or delete an API source:

  1. Select Discovery > API sources from the left-side menu.

  2. Locate the API source you want to manage, then click the relevant icon on the right:

    • Sync: A manual sync of the source begins immediately.
    • Edit: Change the name or source type.
    • Delete: This removes the integration, but any already discovered APIs remain in your API catalog.

What do the different statuses mean?

For each external source you've set up, the Status column on the API sources page shows the current synchronization state or flags a problem with the integration. The following statuses are possible:

  • Sync completed: The most recent synchronization with the source completed successfully. The Last sync column displays the date and time of the successful sync.
  • Sync failed: Mouse over the alert icon in the Last sync column for information about why the last sync failed.
  • Sync in progress: A temporary state indicating that synchronization has started but hasn't completed yet.
  • Token expired: Applies only to the Invicti NTA when the registration token has expired. Registration tokens are valid for 48 hours. To resolve this, generate a new registration token and update your NTA installation with it.
  • Offline: Applies only to the Invicti NTA when there's been no response for some time. Check your NTA setup and its network connectivity to Invicti servers.
  • Awaiting setup: Applies only to the Invicti NTA when it's waiting for the first heartbeat or specification sync.
  • Awaiting for sync: Indicates that the NTA has successfully registered and sent a live heartbeat. When the first APIs are discovered, the specs are sent to the API catalog and the status changes to Sync completed. This status appears only after the initial setup of the NTA.

Troubleshooting

Sync failed

Mouse over the alert icon in the Last sync column for the error detail. Common causes are expired credentials, revoked API tokens, or a permissions change on the source platform. Update the integration credentials and trigger a manual sync to confirm the issue is resolved.

Specs not appearing after a successful sync

If a sync completes but no specs appear in your API catalog, verify that the source is returning OpenAPI3 or Swagger2 specifications. Formats outside these aren't imported automatically.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?