API endpoints are the routes a website or application calls to exchange data with backend services. If a website loads products, logs in users, creates orders, updates profiles, or sends chat messages, it is likely calling API endpoints behind the scenes.
Finding those endpoints is useful when you own the website, operate the application, maintain the API, perform an approved security review, or need to build an accurate API inventory. It should always be done within authorized scope. The goal is visibility and protection, not probing systems you do not control.
What Are API Endpoints on a Website?
An API endpoint is a specific URL and method combination that performs an API action. For example, GET /api/products may return product data, while POST /api/orders may create an order.
Common endpoint patterns include:
- /api/users for user-related actions.
- /api/products for product data.
- /api/orders/{id} for order details.
- /v1/auth/login for authentication flows.
- /graphql for GraphQL queries and mutations.
- /internal/* for internal service routes that should be carefully protected.
Start With Safe and Authorized Scope
Before looking for API endpoints, define the scope. Safe discovery means working only on websites, applications, APIs, and environments you own or have explicit permission to assess.
For internal teams, the scope might include production domains, staging domains, API gateways, mobile backends, partner APIs, cloud services, internal services, and service mesh traffic. For consultants or security reviewers, scope should be written down before any assessment begins.
| Safe discovery | Risky or inappropriate behavior | Why it matters |
|---|---|---|
| Reviewing your own website traffic | Testing third-party websites without approval | Authorization protects both teams and systems |
| Using approved logs and monitoring data | Trying to bypass access controls or rate limits | Discovery should not become unauthorized probing |
| Documenting endpoints and owners | Collecting sensitive data unnecessarily | API discovery can expose personal or confidential data |
| Testing in staging where possible | Generating high-volume traffic against production | Production stability and customer trust matter |
Practical Ways to Find API Endpoints of a Website
There is no single perfect method. The best results usually come from combining documentation, application observation, logs, and runtime traffic analysis.
Check API documentation
Start with official developer docs, internal wikis, OpenAPI files, Swagger UI pages, Postman collections, and service catalogs.
Use browser DevTools
For websites you own or are authorized to review, the Network tab can show API requests made as you use the application.
Review frontend references
Application code may reference API base URLs, route constants, GraphQL operations, SDK calls, and service names.
Analyze logs and gateways
API gateways, load balancers, reverse proxies, WAFs, service meshes, and application logs often reveal active API routes.
Use runtime discovery
Runtime API discovery tools can identify endpoints, methods, parameters, response fields, sensitive data, and behavior from traffic.
Compare against inventory
Match discovered endpoints against known API inventory to find shadow APIs, zombie APIs, duplicates, and unmanaged routes.
Finding API Endpoints With Browser DevTools
Browser DevTools is one of the easiest ways to see which API calls a website makes during normal use. This is helpful for developers, QA teams, product teams, and authorized security reviewers.
A safe review flow looks like this:
- Open the website in a browser.
- Open Developer Tools and select the Network tab.
- Use the application normally, such as logging in, searching, loading a dashboard, or submitting a form.
- Filter network requests by Fetch/XHR or similar request types.
- Record the endpoint path, method, status code, request parameters, and response type.
- Classify the endpoint by owner, environment, data sensitivity, and business function.
Example endpoint inventory row:
Method: GET
Path: /api/v1/orders/{orderId}
Observed from: Browser DevTools
Feature: Customer order details
Auth required: Yes
Sensitive data: Customer name, address, order amount
Owner: Commerce team
Security review: Object-level authorization requiredDevTools is useful, but it only shows the traffic produced by the actions you perform in the browser. It may miss mobile-only APIs, partner APIs, internal APIs, backend service calls, admin APIs, and rarely used endpoints.
Finding Endpoints From Logs, Gateways, and Proxies
Logs and gateways are often better than manual browser observation because they show traffic across many users, clients, integrations, and time periods.
| Source | What it can reveal | Security value |
|---|---|---|
| API gateway | Routes, products, consumers, methods, status codes, rate limits, auth failures | Shows managed API traffic and policy behavior |
| Reverse proxy | Paths, upstream services, client IPs, headers, response codes, latency | Shows traffic before it reaches applications |
| Load balancer | Hostnames, paths, target groups, status codes, response times | Helps map entry points and usage volume |
| Application logs | Route handlers, user context, authorization decisions, errors, business events | Connects endpoint activity to application logic |
| Service mesh | Service-to-service calls, internal APIs, namespaces, workloads, latency, errors | Finds east-west API traffic |
| SIEM | Correlated events across gateways, apps, identity, infrastructure, and security tools | Supports investigation and compliance review |
When using logs, normalize endpoints carefully. For example, /api/orders/123 and /api/orders/456 should usually be grouped as /api/orders/{id} so the inventory reflects the endpoint pattern rather than every individual object ID.
Runtime API Discovery: The Most Complete View
Runtime API discovery analyzes real API traffic to identify endpoints, methods, parameters, schemas, response data, clients, and behavior. It is especially useful because APIs change faster than documentation.
Runtime discovery can help find:
- Shadow APIs that are active but not documented.
- Zombie APIs that are old, deprecated, or forgotten but still reachable.
- Internal APIs that bypass gateway inventory.
- Endpoints returning sensitive data.
- Unexpected methods such as unsafe update or delete actions.
- AI tools and agents calling APIs in new ways.
- Partner integrations using old versions or unusual paths.
| Approach | Strength | Limitation |
|---|---|---|
| Documentation and OpenAPI specs | Shows intended API design | Can be stale or incomplete |
| Browser DevTools | Easy way to observe website API calls | Only shows actions performed during testing |
| Logs and gateways | Shows broader production usage | May lack request or response body detail |
| Runtime API security | Shows active endpoints, behavior, and data exposure | Depends on traffic coverage and visibility quality |
Where Ammune fits
Ammune helps teams discover API endpoints from runtime traffic, inspect requests and responses, detect sensitive data exposure, identify abnormal behavior, surface shadow APIs, and forward useful security events into SIEM workflows. This turns endpoint discovery into a practical security program rather than a one-time spreadsheet.
What to document after finding an API endpoint
Finding an endpoint is only the first step. The endpoint should be normalized, classified, assigned to an owner, and connected to security review. A list of raw URLs is not enough for API governance.
| Field to document | Example | Why it matters |
|---|---|---|
| Method and path pattern | GET /api/orders/{orderId} | Normalizes object-specific URLs into a real endpoint inventory. |
| Owner and environment | Commerce team, production | Makes remediation and approval workflows accountable. |
| Authentication and authorization | JWT required, object-level access needed | Shows where access controls must be verified. |
| Data sensitivity | Customer name, address, order amount | Supports privacy, compliance, and response inspection. |
| Runtime signals | Traffic volume, clients, errors, unusual access | Helps detect drift, abuse, and security gaps. |
From endpoint discovery to API security remediation
Endpoint discovery should feed a practical security workflow. When a new endpoint is found, teams should decide whether it is approved, documented, owned, properly authenticated, correctly authorized, monitored, and safe in the data it returns.
Shadow API review
Compare discovered endpoints with official inventory to find routes that need ownership, documentation, policy, or removal.
Authorization review
Prioritize endpoints with object IDs, tenant IDs, account IDs, exports, admin actions, and state-changing methods.
Response review
Inspect responses for PII, PCI, secrets, tokens, internal IDs, verbose errors, and excessive fields.
Security operations workflow
Send high-value findings into SIEM, ticketing, governance review, or policy enforcement workflows.
API Endpoint Discovery Checklist
Use this checklist when finding API endpoints for a website you own, operate, or are authorized to review.
- Confirm authorization. Work only on approved domains, applications, environments, and APIs.
- Start with documentation. Review OpenAPI specs, Swagger UI, developer docs, Postman collections, and internal catalogs.
- Observe browser traffic. Use DevTools to record Fetch/XHR requests during normal application workflows.
- Review frontend references. Look for route constants, API base URLs, GraphQL operations, and SDK calls in authorized codebases.
- Analyze gateway and proxy logs. Identify paths, methods, status codes, clients, rate limits, and authentication failures.
- Normalize route patterns. Convert object-specific URLs into patterns such as /api/orders/{id}.
- Capture security context. Record authentication model, authorization requirement, data sensitivity, owner, and environment.
- Inspect responses. Identify sensitive fields, excessive data, internal IDs, tokens, and error leakage.
- Find gaps. Compare discovered endpoints against inventory to identify shadow APIs, zombie APIs, and undocumented routes.
- Connect to remediation. Assign owners, update documentation, add policies, tune monitoring, and fix authorization or data exposure issues.
Common mistakes to avoid
- Testing websites or APIs without authorization.
- Assuming browser DevTools shows every endpoint.
- Documenting URLs without methods, owners, auth controls, or data sensitivity.
- Ignoring API responses and focusing only on requests.
- Keeping endpoint discovery separate from security operations.
- Failing to identify internal, partner, mobile, and AI-facing APIs.
- Using discovery as a one-time project instead of continuous visibility.
Conclusion: Finding API Endpoints Is the Start of API Security
Finding the API endpoints of a website is not only a developer troubleshooting task. It is the foundation of API inventory, governance, testing, monitoring, and security. Once teams know which endpoints exist, they can classify them, assign owners, protect them, inspect responses, and monitor runtime behavior.
The safest and most complete approach combines documentation, browser DevTools, frontend references, logs, gateways, and runtime API discovery. Each source shows part of the picture. Together, they reveal the real API surface.
Ammune helps organizations turn that visibility into protection by discovering APIs from runtime traffic, identifying sensitive data exposure, detecting abnormal behavior, and producing SIEM-ready evidence for security teams.
FAQs About Finding API Endpoints of a Website
What are API endpoints on a website?
API endpoints are URLs where a website or application sends requests to read, create, update, or delete data. They often appear as routes such as /api/users, /api/products, /v1/orders, or /graphql.
How can I find API endpoints of a website?
For websites you own or are authorized to assess, you can find API endpoints by reviewing documentation, OpenAPI specs, browser DevTools network activity, frontend code references, gateway logs, server logs, reverse proxy logs, service mesh telemetry, and runtime API discovery tools.
Is it legal to find API endpoints of any website?
You should only inspect or test API endpoints on websites you own, manage, or have explicit permission to assess. Unauthorized probing, scraping, bypassing controls, or testing third-party systems can violate laws, terms of service, or security policies.
Can browser DevTools show API endpoints?
Yes. Browser DevTools can show network requests made by the website while you use it. This can reveal API routes, methods, request headers, response status codes, and payload structures for authorized troubleshooting and security review.
What is the best way to find all APIs in an organization?
The best approach is to combine static sources such as documentation and OpenAPI specs with runtime discovery from gateways, logs, proxies, traffic mirrors, service meshes, and API security platforms. Runtime discovery helps find APIs that documentation misses.
How does Ammune help find API endpoints?
Ammune helps teams discover API endpoints from runtime traffic, inspect requests and responses, detect sensitive data exposure, identify shadow APIs, monitor abnormal behavior, and export SIEM-ready events for API security operations.
Can OpenAPI or Swagger help find API endpoints?
Yes. OpenAPI files and Swagger UI pages can show documented endpoints, methods, request schemas, response schemas, authentication requirements, and available versions. They should be compared with runtime traffic because documentation may be incomplete or outdated.
What should be documented after finding an API endpoint?
Document the method, path pattern, owner, environment, authentication model, authorization requirement, data sensitivity, request fields, response fields, status codes, clients, and remediation status if risk is found.
Why is runtime API discovery better than browser DevTools alone?
Browser DevTools only shows the API calls triggered during the actions you perform. Runtime discovery can observe broader production behavior across users, integrations, mobile apps, partners, internal services, and less frequently used endpoints.
What are shadow APIs in website endpoint discovery?
Shadow APIs are active endpoints that are missing from official documentation, inventory, governance, or security review. Comparing discovered endpoints with the approved inventory helps identify them.
Should API responses be inspected during endpoint discovery?
Yes. Responses reveal data exposure, sensitive fields, excessive objects, internal IDs, tokens, error leakage, and schema changes that may not be visible from endpoint paths alone.
How should endpoint discovery findings be used?
Endpoint discovery findings should feed API inventory, ownership review, documentation updates, gateway policy, WAF tuning, authorization fixes, sensitive data remediation, SIEM alerts, and recurring security reviews.
Find and protect APIs from real runtime traffic
Ammune helps teams discover API endpoints, inspect requests and responses, detect sensitive data exposure, identify abnormal behavior, and produce SIEM-ready evidence from live API traffic.
