awesome-api-security
github.com/arainho/awesome-api-security ↗A collection of awesome API Security tools and resources. The focus goes to open-source tools and resources that benefit all the community.
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me mind maps resources from awesome-api-security"
Installation instructions →What's inside
Mind maps
- Abhay Bhargav
Mind map: REST API defenses
- Cypro AB
Mind map: GraphQL Attacking
- David Sopas
Organize your API security assessment by using MindAPI
- Harsh Bothra
Mind map: XML attacks
- Mosaad Sallam
Mind map: OWASP API Top 10
- Mufaddal Masalawala
Mind map: IDOR Techniques
Tools
- Akto
API discovery, automated business logic testing and runtime detection
- APICheck
The DevSecOps toolset for REST APIs.
- APIClarity
Reconstruct Open API Specifications from real-time workload traffic seamlessly.
- APIFuzzer
Fuzz test your application using your OpenAPI or Swagger API definition without coding.
- APIKit
APIKit:Discovery, Scan and Audit APIs Toolkit All In One.
- Arjun
HTTP parameter discovery suite.
Other resources
- API and microservice security
What are API and microservice security?
- API Hacking Articles
API Hacking Fundamentals, Tools, Techniques, Fails and Mindset articles.
- API Penetration Testing
API Penetration Testing with OWASP 2017 Test Cases.
- API Penetration Testing Report
Anonymised API Penetration Testing Report - vendor sample template
- API Pentesting with Swagger Files
Simplifying API Pentesting With Swagger Files.
- API Security best practices guide
API Security Best Practices MegaGuide
Design, Architecture, Development
- API Audit
API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.
- API security design best practices
API security design best practices for enterprise and public cloud.
- Awesome REST
A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
- Collect API Requirements
Collecting Requirements for your API with APIOps Cycles.
- How to design a REST API
How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
- REST API Design Guide
This design guide or style guide contains best practices suitable for most REST APIs.
API Description Specifications
API Keys: Find and validate
- API Guesser
Simple website to guess API Key / OAuth Token by Muhammad Daffa
- API Key Leaks: Tools and exploits
An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
- Key-Checker
Go scripts for checking API key / access token validity.
- Keyhacks
Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
- Mantra
A tool used to hunt down API key leaks in JS files and pages
- Private key usage verification
Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
Playlists
- API hacking
API hacking videos from @theXSSrat
- Everything API Hacking
A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!
Fuzzing, SecLists, Wordlists
- API HTTP requests methods
HTTP requests methods wordlist by @danielmiessler
- API names wordlist
A wordlist of API names for web application assessments
- API Routes Wordlists
API Routes - Automated Wordlists provided by Assetnote
- Common API endpoints
Wordlist for common API endpoints.
- Filenames by fuzz.txt
Potentially dangerous files
- Fuzzing APIs
Fuzzing APIs chapter from "The Fuzzing Book".
Showing a sample of 155 resources. View the full list on GitHub →