Skip to main content

Link or unlink discovered APIs to targets

This document is for Invicti Platform

Feature availability

This feature is available with Invicti API Security Standalone or Bundle

Associating your discovered and imported APIs with targets enables you to scan those APIs for vulnerabilities. Whenever the target is scanned, the linked API is also scanned automatically. This guide shows you how to link and unlink APIs with targets from your API Discovery in Invicti Platform.

Access requirements

Access to API Security in Invicti Platform requires either an Administrator, Owner, Security Analyst, Security Manager role, or a custom role with the API Security permission.

Once you have some APIs in your API Discovery, you can link each API to an existing target or create a new target to link to if the API base URL is not yet set up as a target in Invicti Platform.

URL requirements

When linking an API to a target, the API base URL must be a subset of the target URL.

  • For example, if www.example.com is the target URL you are linking to, then the base URL for the API needs to be www.example.com/api/v1.
  • When the API base URL is different from the target URL, a new target needs to be added.
  • For example, if the API base URL is api.example.com and your target URL is www.example.com, then you would need to add a new target for api.example.com.

To link an API from your API Discovery to a target follow these steps:

  1. Select Discovery > API Discovery from the left-side menu.
  2. Locate the API you want to link and select Link or Create.
API Discovery page showing Link or Create options for discovered APIs
  • Link—Select an existing target from the list if you already have a target that matches your API base URL.
  • Create—This option takes you to the Create target page. If you need help with creating a target, refer to the linked document. Create the target and come back to this page to complete the linking of the target to an API.
License usage

Adding a target uses one of your available FQDNs (licenses).

  1. Click Link to open the Link target dialog.
Link target dialog showing dropdown menus for target and API base URL selection
  1. Using the dropdown menus, select the target and API base URL, then click Link target.
Link target dialog showing API Base URL

The name of the linked target is now displayed in the Target column of the API Discovery. The next time the linked target is scanned, the associated API specification is also scanned automatically.

Vulnerability identification

After scanning a target that is linked to an API, the Vulnerabilities tab on the Scans > All scans > Scan details page indicates which vulnerabilities are from the scanned API by placing an "API" tag next to the vulnerability name.

  1. Select Inventory > API catalog from the left-side menu.
  2. Locate the API you want to unlink, click the three-dot menu (⋮) on the right, and select Unlink target.
API catalog showing three-dot menu with Unlink target option
  1. Click Unlink target to confirm the action.
Unlink target option confirmation dialog box

The API is no longer linked to a target and cannot be scanned unless you link it to a target again. Any previously identified vulnerabilities related to the API are no longer shown in the API catalog.

Need help?

The Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?