API and Endpoint Analyzer (Apify Actor)

API and Endpoint Analyzer is an Apify Actor for API endpoint discovery, network request analysis, and endpoint risk scoring from a single web page URL.

It opens the page in a real browser, captures network traffic, infers API-like calls, extracts query/body parameters, and outputs one endpoint per dataset row.

Keywords: API analyzer, endpoint scanner, API discovery, web API mapping, network endpoint analysis, endpoint security signals.

Why Use This Actor

• Discover hidden or undocumented API endpoints used by modern web apps.
• Analyze endpoint behavior with HTTP methods, status codes, content types, and sample responses.
• Detect likely filter/search/pagination parameters for endpoint replay and integration work.
• Surface security-relevant signals (heuristic) such as token-like query parameters and CORS/caching risks.

Input

{
    "pageUrl": "https://www.example.com/"
}

• pageUrl (required): The page to open and analyze.

Output Dataset

The Actor writes data to the default dataset.

• One row = one unique endpoint.
• No summary rows are written to the dataset.
• All endpoint details are kept in the same row (request metadata, parameters, response previews, risk fields).

Main output view in Apify Console:

• endpoint_table (configured in .actor/dataset_schema.json)

Dataset Columns

• analysisTimestampUtc: UTC timestamp of the run.
• inputPageUrl: URL provided in Actor input.
• finalLoadedPageUrl: Final URL after redirects/challenges.
• finalPageTitle: Page title observed in browser.
• endpointUrl: Exact endpoint URL (scheme + host + path).
• endpointPathTemplate: Endpoint path normalized with placeholders (:id, :uuid, :token).
• endpointHost: Hostname serving the endpoint.
• endpointIsFirstParty: Whether endpoint host belongs to input domain family.
• endpointClassifiedAsApi: Heuristic API classification (XHR/fetch/JSON/API-like patterns).
• endpointDiscoverySources: Where endpoint was detected (network, source_code).
• endpointObservedHttpMethods: Observed HTTP methods for that endpoint.
• endpointObservedResourceTypes: Browser resource types observed for requests.
• endpointObservedHttpStatusCodes: HTTP statuses observed.
• endpointObservedResponseContentTypes: Response MIME types observed.
• endpointRequestCount: Number of captured requests for endpoint.
• endpointFailedRequestCount: Number of failed requests for endpoint.
• endpointObservedQueryParameters: Query parameter details (parameterName, sample values, filter heuristic).
• endpointObservedBodyParameters: Request body parameter details.
• endpointLikelyFilterParameterNames: Parameter names likely used for filtering/pagination/search.
• endpointSampleRequestUrls: Sample full request URLs.
• endpointSampleResponsePreviews: Sample response snippets with status/content type.
• endpointObservedSecurityHeaders: Observed headers relevant to security (CORS/cache/cookie signal).
• endpointSourceEvidence: Source-code snippets that hinted endpoint usage.
• securityRiskLevel: none | low | medium | high.
• securityRiskScore: Heuristic score in range 0-100.
• securityFindingsCount: Number of security findings for the endpoint.
• securitySensitiveDataIndicators: Signals of potential sensitive data exposure.
• securityFindings: Detailed finding objects with severity, impact, validation guidance, and suggested action.

Typical Use Cases

• API endpoint inventory for unknown websites.
• Reverse engineering frontend-to-backend data flows.
• QA regression checks after frontend deployments.
• Integration planning for data extraction pipelines.
• Security triage support for exposed endpoint patterns.

Security Notes

• Security findings are heuristic signals, not confirmed vulnerabilities.
• Validate findings manually before remediation decisions.
• Run only on domains/systems where you have authorization.