🔎 Start your first scan
In its most simple form, an API endpoint is everything we need to start scans on a GraphQL API.
Application creation stepper
- Go to your applications list and click on
Secure a new app
- Enter your GraphQL endpoint and click on
Next
- Add an authorization header if desired or click on
Skip
- Select a name for the application, and select if you want the scan to send
queries
andmutations
(read-write mode), or onlyqueries
(read-only, safe for production). Click onStart scanning
. - You are all set!
Common pitfalls
My endpoint is not a GraphQL endpoint
It might occur that we cannot detect if an API endpoint is powered by a GraphQL engine. In the case it is legit not a GraphQL endpoint and you might want to discuss with us to be early testers of non-graphql APIs security tests.
My endpoint is a GraphQL endpoint but requires authentication
A common reason for our test to fail is also that the endpoint requires authentication parameters, whether it be a firewall protecting the server, or an application layer ensuring authentication for the query we use in order to fingerprint the API (query { __typename }
). In this case, you are offered to provide authorization headers, that will be attached to the HTTP requests we send.