Chrome Extension

    API Discovery Chrome Extension for Security Testing

    Before you can test an API for vulnerabilities, you need to know what endpoints exist. OpenAPI specs help, but they are often incomplete -- undocumented internal routes, legacy endpoints, and third-party integrations rarely make it in.

    The ApyGuard Chrome extension browses your application and captures every API call as it happens. Install it, use the product normally, and export discovered endpoints directly to ApyGuard for an automated API security scan.

    Install from Chrome Web StoreStart Free Scan

    Capture every live endpoint

    Record API calls as users navigate -- including undocumented routes your spec never mentioned.

    Understand real request flows

    See how authentication, parameters, and dependent endpoints chain together in actual usage.

    Feed directly into security scanning

    Import discovered endpoints to ApyGuard and run an automated security scan immediately.

    Discover Every Endpoint Before You Test

    The ApyGuard API discovery extension helps teams uncover hidden endpoints, trace real request flows, and import them to the security scanner without writing a single line of spec.

    Make hidden API flows visible in seconds

    The ApyGuard extension observes live API traffic directly inside the browser, capturing every request your application makes as you navigate through it -- including endpoints that never made it into your OpenAPI spec.

    • Capture API requests and responses while using the product normally
    • Reveal undocumented endpoints, parameters, and authentication flows
    • Build a complete endpoint inventory as the starting point for security testing
    Install ExtensionStart Free Scan

    From Discovery to Security Scan

    Five steps from installing the extension to a full vulnerability report on your API.

    1

    Install from the Chrome Web Store

    One-click install, no configuration required. Works in Chrome and Chromium-based browsers including Edge.

    2

    Browse your application normally

    Navigate through the product as a real user would. The extension records every API call in the background -- no changes to your app required.

    3

    Review the generated OpenAPI documentation

    The extension builds an OpenAPI spec from captured traffic, with request and response schemas populated from real example values.

    4

    Import to ApyGuard

    Export discovered endpoints directly to your ApyGuard account. No manual spec writing or file conversion needed.

    5

    Run the security scan

    ApyGuard tests every discovered endpoint for vulnerabilities -- broken authentication, injection, BOLA, and the full OWASP API Top 10.

    What the Extension Captures

    The extension records each API request and response as you navigate, then generates OpenAPI documentation with real example values -- ready to import into ApyGuard.

    Endpoint URLs and HTTP methods

    GET, POST, PUT, DELETE, PATCH across all discovered routes

    Request headers

    Content types and custom headers observed during navigation

    Query parameters and path variables

    Including parameterized routes your spec may have omitted

    Request body schemas

    JSON body structure with real example values from captured requests

    Response body schemas

    Response structure with example values from actual responses

    Generated OpenAPI documentation

    Complete spec ready to import into ApyGuard for security scanning

    Extension vs. OpenAPI Import: When to Use Which

    Both methods connect your API to ApyGuard. Use the extension when your spec is incomplete or missing -- use OpenAPI import when you have a complete, up-to-date spec.

    Use the Chrome extension when:

    • You have no OpenAPI spec, or it is incomplete
    • You need to capture endpoints triggered by specific user workflows
    • You suspect undocumented internal routes exist
    • You're auditing a third-party integration that doesn't expose a spec
    • You want to verify the spec matches what's actually running in production

    Use OpenAPI import when:

    • You have a complete, up-to-date spec
    • You want to scan before deploying (spec-first workflow)
    • You're testing a CI/CD pipeline gate
    • You need to scan a large API surface without manual browsing

    You can use both together. The extension captures endpoints the spec missed, giving you a complete API surface for the automated penetration test. Pair with behavior profiling to monitor discovered endpoints for response drift after deployment.

    Frequently Asked Questions

    Which browsers are supported?

    The extension is available on the Chrome Web Store and works in Chrome and any Chromium-based browser, including Microsoft Edge.

    Does the extension send my API traffic to ApyGuard servers during discovery?

    Discovery happens locally in your browser. Traffic is captured inside the extension and is not transmitted to ApyGuard servers until you choose to export and import the discovered endpoints.

    Does it work on applications that require authentication?

    Yes. You browse as a logged-in user, so the extension captures the authenticated endpoints your application calls -- including the request and response schemas that only appear after login. You get a more complete spec than documentation alone can provide.

    What is the difference between the extension and Chrome DevTools Network tab?

    Chrome DevTools shows raw network requests. The extension organizes discovered requests into a structured endpoint inventory, deduplicates calls, and exports them directly to ApyGuard for security testing -- without any manual work to convert what you see into a scannable format.

    Find every endpoint. Then test every one.

    Install the extension, browse your application, and import discovered endpoints to ApyGuard for an automated security scan. No spec required.

    Install ExtensionStart Free Scan

    See the API security best practices guide for the full framework on API inventory, testing, and monitoring.