# API & Endpoint Discovery (`lofomachines/api-endpoint-discovery`) Actor Discover, test, and fingerprint all API endpoints from any website. Supports bulk input, OpenAPI/Swagger parsing, GraphQL introspection, and deep auth/CORS/rate-limit detection. Use as a Claude MCP tool via Apify. - **URL**: https://apify.com/lofomachines/api-endpoint-discovery.md - **Developed by:** [Lofomachines](https://apify.com/lofomachines) (community) - **Categories:** Agents, Developer tools, MCP servers - **Stats:** 3 total users, 2 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $2.70 / 1,000 results This Actor is paid per event and usage. You are charged both the fixed price for specific events and for Apify platform usage. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ### What does API & Endpoint Discovery do? **API & Endpoint Discovery** scans any website and surfaces every API endpoint it exposes — then tests and fingerprints each one so you know exactly what you're working with. Point it at a URL and get back a structured list of REST endpoints, GraphQL queries, WebSocket connections, and authentication requirements within minutes. Built specifically for use as a **Claude AI tool via [Apify MCP](https://mcp.apify.com/)**, so Claude can discover and analyze APIs mid-conversation. Also runs as a standalone Apify Actor with full dataset output downloadable as JSON, CSV, or Excel. ### Why use API & Endpoint Discovery? - **AI agent tool augmentation** — give Claude real-time API discovery capabilities; ask _"what APIs does stripe.com expose?"_ and get a structured answer - **API integration research** — before integrating with a third-party service, map all their endpoints and authentication requirements automatically - **Security auditing** — discover undocumented or shadow APIs, detect open CORS policies, identify unauthenticated endpoints - **API documentation** — automatically generate an endpoint inventory for any website, including those without published docs - **Competitive analysis** — understand what APIs a competitor's product uses ### How to use as a Claude MCP tool **This actor is designed to work as a tool inside Claude.** Claude can call it mid-conversation to discover and analyze any website's APIs in real time. #### Setup (5 minutes) 1. [Create a free Apify account](https://apify.com) and copy your API token from **Settings → Integrations** 2. Install [Claude Desktop](https://claude.ai/download) 3. Add the Apify MCP server to your Claude config file: - **Mac:** `~/Library/Application Support/Claude/claude_desktop_config.json` - **Windows:** `%APPDATA%\Claude\claude_desktop_config.json` ```json { "mcpServers": { "apify": { "command": "npx", "args": ["-y", "@apify/mcp-server"], "env": { "APIFY_TOKEN": "your-apify-token-here" } } } } ```` 4. Restart Claude Desktop 5. Ask Claude: > *"Use the API endpoint discovery actor on https://jsonplaceholder.typicode.com and tell me what endpoints are available, which ones require auth, and what their response schemas look like."* Claude will call this actor, wait for results, and return a structured summary of every discovered API endpoint — including authentication requirements, CORS policy, rate limiting, and sample response schemas. #### Example Claude conversation **You:** What APIs does `https://petstore.swagger.io` expose? **Claude:** I'll use the API Endpoint Discovery actor to scan petstore.swagger.io... *(runs actor)* **Claude:** I found 20 endpoints across 3 resource groups: - **`/pet`** — GET (public, returns array of Pet objects), POST (requires Bearer auth) - **`/pet/{petId}`** — GET (public), PUT (requires auth), DELETE (requires auth) - **`/store/inventory`** — GET (public, returns stock counts) - **`/user/login`** — GET (public, returns auth token) ... ### How to use as a standalone Apify Actor 1. [Create a free Apify account](https://apify.com) 2. Go to **Apify Store → API & Endpoint Discovery** 3. Click **Try for free** 4. Add your target URLs in the **Start URLs** field 5. Click **Start** and wait for the run to finish (typically 1–5 minutes for 10 sites) 6. Download results from the **Output** tab as JSON, CSV, or Excel ### Input | Field | Type | Default | Description | | ----------------------------- | ------- | -------- | ------------------------------------------------------------- | | Start URLs | array | required | Websites to analyze (up to 50) | | Max Endpoints per Site | integer | 200 | Cap on endpoints probed per site | | HTTP Methods to Probe | array | all | Methods to test: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD | | Include Static Analysis | boolean | true | Scan JS bundles and well-known paths for additional routes | | Include GraphQL Introspection | boolean | true | Run GraphQL introspection if /graphql endpoint found | | Proxy Configuration | object | none | Apify proxy settings for bypassing anti-bot protection | ### Output One record per discovered endpoint: ```json { "sourceUrl": "https://jsonplaceholder.typicode.com", "endpoint": "https://jsonplaceholder.typicode.com/posts", "path": "/posts", "discoveredBy": ["networkInterception", "staticAnalysis"], "apiType": "REST", "methods": { "GET": { "status": 200, "responseTimeMs": 312, "contentType": "application/json", "requiresAuth": false, "sampleSchema": ["userId", "id", "title", "body"] }, "POST": { "status": 201, "responseTimeMs": 198, "requiresAuth": false }, "OPTIONS": { "status": 200, "cors": { "allowedOrigins": "*", "allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS"] } } }, "tags": ["public", "json", "cors-open"] } ``` You can download the dataset in various formats such as JSON, HTML, CSV, or Excel. ### Data fields | Field | Description | | -------------- | -------------------------------------------------------------------------------------------------------------------------------- | | `sourceUrl` | The input website URL this endpoint was found on | | `endpoint` | Full URL of the discovered endpoint | | `path` | URL path only | | `discoveredBy` | How it was found: `networkInterception`, `staticAnalysis`, `openApiSpec`, `graphqlIntrospection`, `wellKnownPath` | | `apiType` | `REST`, `GraphQL`, `WebSocket`, or `unknown` | | `methods` | Per-method results: status, response time, content-type, auth info, CORS, sample schema | | `rateLimit` | Rate limit headers detected, if any | | `tags` | Auto-generated labels: `requires-auth`, `public`, `json`, `graphql`, `cors-open`, `cors-restricted`, `rate-limited`, `versioned` | ### How the discovery works The actor runs a **3-phase pipeline** per website: 1. **Live browser interception (Playwright)** — loads the page in a real Chromium browser, intercepts every XHR/fetch/WebSocket request, and captures all JS bundle URLs 2. **Static analysis** — scans JS bundles for API path patterns, probes well-known paths (`/openapi.json`, `/swagger.json`, `/graphql`, `/.well-known/`), and parses any OpenAPI/Swagger specs it finds 3. **Deep fingerprinting** — probes each discovered endpoint with all configured HTTP methods, detecting auth requirements, CORS policy, rate limiting, API type (REST/GraphQL), and extracting a sample response schema ### Cost estimation Running API & Endpoint Discovery on 10 websites typically consumes **0.5–2 Compute Units** depending on site complexity. The [Apify Free tier](https://apify.com/pricing) includes enough free credits to analyze dozens of sites per month at no cost. | Sites | Estimated CUs | Approximate cost | | -------- | ------------- | ---------------- | | 1 site | 0.05–0.2 | Free tier | | 10 sites | 0.5–2 | Free tier | | 50 sites | 2.5–10 | ~$0.50–$2.00 | ### Tips - **OpenAPI/Swagger sites**: if a site publishes `/openapi.json` or `/swagger.json`, the actor extracts all declared routes instantly — results in seconds - **Reduce cost on large sites**: lower *Max Endpoints per Site* to 50 if you only need a quick overview - **GraphQL APIs**: enable *Include GraphQL Introspection* for a full schema of all queries and mutations - **Anti-bot sites**: enable Apify Proxy to rotate IPs and avoid rate limiting during probing - **Claude integration**: ask Claude to filter or compare results — e.g. *"which of these endpoints don't require auth and return JSON?"* ### FAQ **Is this legal?** This actor sends standard HTTP requests that any browser would make. It does not bypass authentication, exploit vulnerabilities, access private data, or perform denial-of-service attacks. Always respect a site's Terms of Service and `robots.txt`. Do not use this tool against systems you do not own or have explicit permission to test. **What if GraphQL introspection is blocked?** Endpoints that block introspection are recorded with `graphqlIntrospectionBlocked: true` — the endpoint is still discovered and fingerprinted for all other signals. **Can it handle SPAs and JavaScript-heavy sites?** Yes — Phase 1 uses a real Chromium browser that executes JavaScript, so it captures API calls from React, Vue, Angular, and other SPA frameworks. **What's the difference between `discoveredBy` values?** - `networkInterception` — the endpoint was actually called by the page during Playwright's browser session - `staticAnalysis` — found by regex-scanning JS bundle source code - `openApiSpec` — declared in an OpenAPI/Swagger spec found on the site - `wellKnownPath` — found by probing standard paths like `/graphql`, `/robots.txt` **Need a custom solution?** [Contact Apify](https://apify.com/contact) for custom API monitoring, bulk analysis pipelines, or enterprise integrations. Found a bug or have a feature request? Open an issue in the [Issues tab](../../issues). # Actor input Schema ## `startUrls` (type: `array`): Websites to scan for API endpoints. Supports up to 50 URLs. ## `maxEndpointsPerSite` (type: `integer`): Maximum number of unique endpoints to probe per website. ## `includeStaticAnalysis` (type: `boolean`): Scan JavaScript bundles and well-known paths for additional API routes. ## `includeGraphQL` (type: `boolean`): Run GraphQL introspection query if a /graphql endpoint is found. ## `proxyConfiguration` (type: `object`): Proxy settings for bypassing anti-bot protection. ## Actor input object example ```json { "startUrls": [ { "url": "https://jsonplaceholder.typicode.com" } ], "maxEndpointsPerSite": 200, "includeStaticAnalysis": true, "includeGraphQL": true, "proxyConfiguration": { "useApifyProxy": false } } ``` # Actor output Schema ## `endpoints` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "startUrls": [ { "url": "https://jsonplaceholder.typicode.com" } ] }; // Run the Actor and wait for it to finish const run = await client.actor("lofomachines/api-endpoint-discovery").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "startUrls": [{ "url": "https://jsonplaceholder.typicode.com" }] } # Run the Actor and wait for it to finish run = client.actor("lofomachines/api-endpoint-discovery").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "startUrls": [ { "url": "https://jsonplaceholder.typicode.com" } ] }' | apify call lofomachines/api-endpoint-discovery --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=lofomachines/api-endpoint-discovery", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "API & Endpoint Discovery", "description": "Discover, test, and fingerprint all API endpoints from any website. Supports bulk input, OpenAPI/Swagger parsing, GraphQL introspection, and deep auth/CORS/rate-limit detection. Use as a Claude MCP tool via Apify.", "version": "1.0", "x-build-id": "XmNdDwNT4YZqaufBU" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/lofomachines~api-endpoint-discovery/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-lofomachines-api-endpoint-discovery", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/lofomachines~api-endpoint-discovery/runs": { "post": { "operationId": "runs-sync-lofomachines-api-endpoint-discovery", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/lofomachines~api-endpoint-discovery/run-sync": { "post": { "operationId": "run-sync-lofomachines-api-endpoint-discovery", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "startUrls" ], "properties": { "startUrls": { "title": "Start URLs", "type": "array", "description": "Websites to scan for API endpoints. Supports up to 50 URLs.", "items": { "type": "object", "required": [ "url" ], "properties": { "url": { "type": "string", "title": "URL of a web page", "format": "uri" } } } }, "maxEndpointsPerSite": { "title": "Max Endpoints per Site", "minimum": 1, "maximum": 1000, "type": "integer", "description": "Maximum number of unique endpoints to probe per website.", "default": 200 }, "includeStaticAnalysis": { "title": "Include Static Analysis", "type": "boolean", "description": "Scan JavaScript bundles and well-known paths for additional API routes.", "default": true }, "includeGraphQL": { "title": "Include GraphQL Introspection", "type": "boolean", "description": "Run GraphQL introspection query if a /graphql endpoint is found.", "default": true }, "proxyConfiguration": { "title": "Proxy Configuration", "type": "object", "description": "Proxy settings for bypassing anti-bot protection.", "default": { "useApifyProxy": false } } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```