How to Find API Endpoints of a Website
How to Find API Endpoints of a Website Safely: DevTools, Logs, OpenAPI, and Runtime Discovery
API discovery and inventory

How to Find API Endpoints of a Website Safely: DevTools, Logs, OpenAPI, and Runtime Discovery

Finding API endpoints is useful for development, troubleshooting, security reviews, documentation, and API inventory. The right approach is authorized, controlled, and evidence-based: use documentation, browser network activity, OpenAPI specs, logs, gateways, and runtime discovery to understand what APIs a website actually uses.

API endpoints are the routes a website or application calls to exchange data with backend services. If a website loads products, logs in users, creates orders, updates profiles, or sends chat messages, it is likely calling API endpoints behind the scenes.

Finding those endpoints is useful when you own the website, operate the application, maintain the API, perform an approved security review, or need to build an accurate API inventory. It should always be done within authorized scope. The goal is visibility and protection, not probing systems you do not control.

What Are API Endpoints on a Website?

An API endpoint is a specific URL and method combination that performs an API action. For example, GET /api/products may return product data, while POST /api/orders may create an order.

Common endpoint patterns include:

  • /api/users for user-related actions.
  • /api/products for product data.
  • /api/orders/{id} for order details.
  • /v1/auth/login for authentication flows.
  • /graphql for GraphQL queries and mutations.
  • /internal/* for internal service routes that should be carefully protected.
An endpoint is not just a URL. For security, the method, parameters, headers, authentication model, request body, response data, owner, and runtime behavior all matter.

Start With Safe and Authorized Scope

Before looking for API endpoints, define the scope. Safe discovery means working only on websites, applications, APIs, and environments you own or have explicit permission to assess.

For internal teams, the scope might include production domains, staging domains, API gateways, mobile backends, partner APIs, cloud services, internal services, and service mesh traffic. For consultants or security reviewers, scope should be written down before any assessment begins.

Safe discovery Risky or inappropriate behavior Why it matters
Reviewing your own website traffic Testing third-party websites without approval Authorization protects both teams and systems
Using approved logs and monitoring data Trying to bypass access controls or rate limits Discovery should not become unauthorized probing
Documenting endpoints and owners Collecting sensitive data unnecessarily API discovery can expose personal or confidential data
Testing in staging where possible Generating high-volume traffic against production Production stability and customer trust matter
Find API Endpoints of a Website

Practical Ways to Find API Endpoints of a Website

There is no single perfect method. The best results usually come from combining documentation, application observation, logs, and runtime traffic analysis.

Check API documentation

Start with official developer docs, internal wikis, OpenAPI files, Swagger UI pages, Postman collections, and service catalogs.

Use browser DevTools

For websites you own or are authorized to review, the Network tab can show API requests made as you use the application.

Review frontend references

Application code may reference API base URLs, route constants, GraphQL operations, SDK calls, and service names.

Analyze logs and gateways

API gateways, load balancers, reverse proxies, WAFs, service meshes, and application logs often reveal active API routes.

Use runtime discovery

Runtime API discovery tools can identify endpoints, methods, parameters, response fields, sensitive data, and behavior from traffic.

Compare against inventory

Match discovered endpoints against known API inventory to find shadow APIs, zombie APIs, duplicates, and unmanaged routes.

Finding API Endpoints With Browser DevTools

Browser DevTools is one of the easiest ways to see which API calls a website makes during normal use. This is helpful for developers, QA teams, product teams, and authorized security reviewers.

A safe review flow looks like this:

  1. Open the website in a browser.
  2. Open Developer Tools and select the Network tab.
  3. Use the application normally, such as logging in, searching, loading a dashboard, or submitting a form.
  4. Filter network requests by Fetch/XHR or similar request types.
  5. Record the endpoint path, method, status code, request parameters, and response type.
  6. Classify the endpoint by owner, environment, data sensitivity, and business function.
Example endpoint inventory row:

Method: GET
Path: /api/v1/orders/{orderId}
Observed from: Browser DevTools
Feature: Customer order details
Auth required: Yes
Sensitive data: Customer name, address, order amount
Owner: Commerce team
Security review: Object-level authorization required

DevTools is useful, but it only shows the traffic produced by the actions you perform in the browser. It may miss mobile-only APIs, partner APIs, internal APIs, backend service calls, admin APIs, and rarely used endpoints.

How to Find API Endpoints of a Website

Finding Endpoints From Logs, Gateways, and Proxies

Logs and gateways are often better than manual browser observation because they show traffic across many users, clients, integrations, and time periods.

Source What it can reveal Security value
API gateway Routes, products, consumers, methods, status codes, rate limits, auth failures Shows managed API traffic and policy behavior
Reverse proxy Paths, upstream services, client IPs, headers, response codes, latency Shows traffic before it reaches applications
Load balancer Hostnames, paths, target groups, status codes, response times Helps map entry points and usage volume
Application logs Route handlers, user context, authorization decisions, errors, business events Connects endpoint activity to application logic
Service mesh Service-to-service calls, internal APIs, namespaces, workloads, latency, errors Finds east-west API traffic
SIEM Correlated events across gateways, apps, identity, infrastructure, and security tools Supports investigation and compliance review

When using logs, normalize endpoints carefully. For example, /api/orders/123 and /api/orders/456 should usually be grouped as /api/orders/{id} so the inventory reflects the endpoint pattern rather than every individual object ID.

Runtime API Discovery: The Most Complete View

Runtime API discovery analyzes real API traffic to identify endpoints, methods, parameters, schemas, response data, clients, and behavior. It is especially useful because APIs change faster than documentation.

Runtime discovery can help find:

  • Shadow APIs that are active but not documented.
  • Zombie APIs that are old, deprecated, or forgotten but still reachable.
  • Internal APIs that bypass gateway inventory.
  • Endpoints returning sensitive data.
  • Unexpected methods such as unsafe update or delete actions.
  • AI tools and agents calling APIs in new ways.
  • Partner integrations using old versions or unusual paths.
Approach Strength Limitation
Documentation and OpenAPI specs Shows intended API design Can be stale or incomplete
Browser DevTools Easy way to observe website API calls Only shows actions performed during testing
Logs and gateways Shows broader production usage May lack request or response body detail
Runtime API security Shows active endpoints, behavior, and data exposure Depends on traffic coverage and visibility quality

Where Ammune fits

Ammune helps teams discover API endpoints from runtime traffic, inspect requests and responses, detect sensitive data exposure, identify abnormal behavior, surface shadow APIs, and forward useful security events into SIEM workflows. This turns endpoint discovery into a practical security program rather than a one-time spreadsheet.

how to find API endpoints of a website

What to document after finding an API endpoint

Finding an endpoint is only the first step. The endpoint should be normalized, classified, assigned to an owner, and connected to security review. A list of raw URLs is not enough for API governance.

Field to document Example Why it matters
Method and path pattern GET /api/orders/{orderId} Normalizes object-specific URLs into a real endpoint inventory.
Owner and environment Commerce team, production Makes remediation and approval workflows accountable.
Authentication and authorization JWT required, object-level access needed Shows where access controls must be verified.
Data sensitivity Customer name, address, order amount Supports privacy, compliance, and response inspection.
Runtime signals Traffic volume, clients, errors, unusual access Helps detect drift, abuse, and security gaps.

From endpoint discovery to API security remediation

Endpoint discovery should feed a practical security workflow. When a new endpoint is found, teams should decide whether it is approved, documented, owned, properly authenticated, correctly authorized, monitored, and safe in the data it returns.

Shadow API review

Compare discovered endpoints with official inventory to find routes that need ownership, documentation, policy, or removal.

Authorization review

Prioritize endpoints with object IDs, tenant IDs, account IDs, exports, admin actions, and state-changing methods.

Response review

Inspect responses for PII, PCI, secrets, tokens, internal IDs, verbose errors, and excessive fields.

Security operations workflow

Send high-value findings into SIEM, ticketing, governance review, or policy enforcement workflows.

API Endpoint Discovery Checklist

Use this checklist when finding API endpoints for a website you own, operate, or are authorized to review.

  1. Confirm authorization. Work only on approved domains, applications, environments, and APIs.
  2. Start with documentation. Review OpenAPI specs, Swagger UI, developer docs, Postman collections, and internal catalogs.
  3. Observe browser traffic. Use DevTools to record Fetch/XHR requests during normal application workflows.
  4. Review frontend references. Look for route constants, API base URLs, GraphQL operations, and SDK calls in authorized codebases.
  5. Analyze gateway and proxy logs. Identify paths, methods, status codes, clients, rate limits, and authentication failures.
  6. Normalize route patterns. Convert object-specific URLs into patterns such as /api/orders/{id}.
  7. Capture security context. Record authentication model, authorization requirement, data sensitivity, owner, and environment.
  8. Inspect responses. Identify sensitive fields, excessive data, internal IDs, tokens, and error leakage.
  9. Find gaps. Compare discovered endpoints against inventory to identify shadow APIs, zombie APIs, and undocumented routes.
  10. Connect to remediation. Assign owners, update documentation, add policies, tune monitoring, and fix authorization or data exposure issues.

Common mistakes to avoid

  • Testing websites or APIs without authorization.
  • Assuming browser DevTools shows every endpoint.
  • Documenting URLs without methods, owners, auth controls, or data sensitivity.
  • Ignoring API responses and focusing only on requests.
  • Keeping endpoint discovery separate from security operations.
  • Failing to identify internal, partner, mobile, and AI-facing APIs.
  • Using discovery as a one-time project instead of continuous visibility.

Conclusion: Finding API Endpoints Is the Start of API Security

Finding the API endpoints of a website is not only a developer troubleshooting task. It is the foundation of API inventory, governance, testing, monitoring, and security. Once teams know which endpoints exist, they can classify them, assign owners, protect them, inspect responses, and monitor runtime behavior.

The safest and most complete approach combines documentation, browser DevTools, frontend references, logs, gateways, and runtime API discovery. Each source shows part of the picture. Together, they reveal the real API surface.

Ammune helps organizations turn that visibility into protection by discovering APIs from runtime traffic, identifying sensitive data exposure, detecting abnormal behavior, and producing SIEM-ready evidence for security teams.

FAQs About Finding API Endpoints of a Website

What are API endpoints on a website?

API endpoints are URLs where a website or application sends requests to read, create, update, or delete data. They often appear as routes such as /api/users, /api/products, /v1/orders, or /graphql.

How can I find API endpoints of a website?

For websites you own or are authorized to assess, you can find API endpoints by reviewing documentation, OpenAPI specs, browser DevTools network activity, frontend code references, gateway logs, server logs, reverse proxy logs, service mesh telemetry, and runtime API discovery tools.

Is it legal to find API endpoints of any website?

You should only inspect or test API endpoints on websites you own, manage, or have explicit permission to assess. Unauthorized probing, scraping, bypassing controls, or testing third-party systems can violate laws, terms of service, or security policies.

Can browser DevTools show API endpoints?

Yes. Browser DevTools can show network requests made by the website while you use it. This can reveal API routes, methods, request headers, response status codes, and payload structures for authorized troubleshooting and security review.

What is the best way to find all APIs in an organization?

The best approach is to combine static sources such as documentation and OpenAPI specs with runtime discovery from gateways, logs, proxies, traffic mirrors, service meshes, and API security platforms. Runtime discovery helps find APIs that documentation misses.

How does Ammune help find API endpoints?

Ammune helps teams discover API endpoints from runtime traffic, inspect requests and responses, detect sensitive data exposure, identify shadow APIs, monitor abnormal behavior, and export SIEM-ready events for API security operations.

Can OpenAPI or Swagger help find API endpoints?

Yes. OpenAPI files and Swagger UI pages can show documented endpoints, methods, request schemas, response schemas, authentication requirements, and available versions. They should be compared with runtime traffic because documentation may be incomplete or outdated.

What should be documented after finding an API endpoint?

Document the method, path pattern, owner, environment, authentication model, authorization requirement, data sensitivity, request fields, response fields, status codes, clients, and remediation status if risk is found.

Why is runtime API discovery better than browser DevTools alone?

Browser DevTools only shows the API calls triggered during the actions you perform. Runtime discovery can observe broader production behavior across users, integrations, mobile apps, partners, internal services, and less frequently used endpoints.

What are shadow APIs in website endpoint discovery?

Shadow APIs are active endpoints that are missing from official documentation, inventory, governance, or security review. Comparing discovered endpoints with the approved inventory helps identify them.

Should API responses be inspected during endpoint discovery?

Yes. Responses reveal data exposure, sensitive fields, excessive objects, internal IDs, tokens, error leakage, and schema changes that may not be visible from endpoint paths alone.

How should endpoint discovery findings be used?

Endpoint discovery findings should feed API inventory, ownership review, documentation updates, gateway policy, WAF tuning, authorization fixes, sensitive data remediation, SIEM alerts, and recurring security reviews.

Find and protect APIs from real runtime traffic

Ammune helps teams discover API endpoints, inspect requests and responses, detect sensitive data exposure, identify abnormal behavior, and produce SIEM-ready evidence from live API traffic.

© Ammune Security. API security content for modern application, AI, and enterprise environments.