Support
API Discovery

Introduction to API Discovery Sources

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

This feature is available with Invicti API Security Standalone or Bundle

The APIs > Sources page is where you can enable Zero Configuration Discovery, set up the Invicti Network Traffic Analyzer (NTA) in your Kubernetes cluster, and add API Management Integrations. The Invicti NTA and each API Management integration require some initial configuration before they can start synchronizing your OpenAPI3 and Swagger2 specs.

This document provides links to specific setup instructions for each of the API sources available for discovering and importing your existing APIs into your Invicti Enterprise API Inventory. It also provides information about synchronization, editing and deleting sources, and status explanations.

PREREQUISITES:

  • Access to API Discovery in Invicti Enterprise requires either an Account Administrator role or the View API Inventory permission added to a new or existing role.
  • API Discovery in Invicti Enterprise On-Premises prerequisites:

How to set up API discovery source integrations

The following sources are available for discovering or importing API specs to your Invicti Enterprise API Inventory. Refer to the specific documentation linked below for instructions on how to set up each API source.

  • Zero Configuration Discovery:

  • Invicti Network Traffic Analyzer (NTA):

  • Amazon API Gateway:

  • Apigee API hub:

  • Azure API Management:

  • MuleSoft Anypoint Exchange:

How to sync, edit, and delete API discovery source integrations

After setting up an API source and running the initial synchronization, your retrieved API specs are loaded into your Invicti Enterprise API Inventory, which is then synced automatically every 24 hours. To disable automatic synchronization, go to APIs > Sources and click the Sync Automatically toggle next to the relevant API source.

If you need to run a manual sync, edit, or delete an API source, follow these steps:

  1. Select APIs > Sources from the left-side menu.

  1. Locate the API source you want to manage, then click the relevant icon on the right-hand side:
  • Sync: A manual sync of the source begins immediately.
  • Edit: Change the name or source type.
  • Delete: This removes the integration, however any already discovered APIs will remain in your API Inventory.

What do the different statuses mean?

For each external source you have set up, the Status column on the APIs > Sources page indicates the current synchronization state or if there is a problem with the integration. The following statuses are possible:  

  • Sync Completed: The most recent synchronization with the source was completed successfully. The Last Sync column displays the date and time the successful sync was completed.
  • Sync Failed: Mouse over the alert icon in the Last Sync column for information about why the last sync failed.
  • Sync in progress: This is a temporary state indicating that synchronization with the source has started but not yet completed.
  • Token Expired: This status applies only to the Invicti NTA when the registration token has expired and the NTA is attempting to send data back to the API Inventory. Registration tokens are valid for 48 hours. To resolve this issue, generate and retrieve a new registration token and update your NTA installation with the new token.
  • Offline: This status applies only to the Invicti NTA when there has been no response for some time. Check your NTA setup and its network connectivity to Invicti servers.
  • Awaiting setup: This status applies only to the Invicti NTA when it is waiting for the first heartbeat/specification sync.
  • Awaiting for sync: Indicates that the NTA has successfully registered and sent a live heartbeat. When the first APIs are discovered, the specs will be sent to the API Inventory and the status will change to Sync Completed. This status appears only after the initial setup of the NTA.

Further information

For more information about Invicti Enterprise API Security, refer to the following documentation: