Setting up an API target

Last updated: January 23, 2026

Setting up Astra’s Vulnerability Scanner for API testing involves a streamlined configuration process that allows the scanner to thoroughly assess your API endpoints. This guide will walk you through each step, from entering the base URL to uploading definition files, ensuring you set up the scanner effectively for your API's security assessment.

image.png

Access the Scanner Setup

  1. To begin, navigate to the Targets page and click on the Setup Target button.

You will be directed to the target setup wizard, where you can update and configure the API target.

Breakdown of each step

1. Get Started

image.png

Begin by providing fundamental details about your application:

  • Application Name: Enter the display name for your API. This helps you easily identify your API target in the dashboard.

  • Base URL: Enter the root URL of your API. This is the main endpoint from which all other API paths extend. Be sure to provide the correct protocol (http:// or https://) along with the full domain name. Setting the Base URL helps the scanner focus on your API’s root endpoint and its linked resources.

Example: https://api.example.com/

2. API Details

image.png

In this step, you’ll choose how you want to share your API details with Astra. This helps us understand your API structure and build an inventory of endpoints for scanning.

You can choose one of the following options:

  • OpenAPI Spec File
    Please upload your exported OpenAPI specification file. This allows Astra to classify risks more effectively based on your documented API endpoints.

  • Inventory Import (using Postman Collection)
    Please upload a Postman Collection file. This will be used to build an inventory of your API endpoints, which can then be used to run DAST scans.

  • Install Traffic Collector
    Connect a Traffic Collector to automatically discover endpoints from your live API traffic. Setting up Astra Traffic Collector

Once you’ve selected the preferred method, proceed to the next step (Definition Files) to upload the required file or configure the collector.

3. Definition Files

image.png

In this step, you’ll need to upload the definition files for your API. These files are vital in helping the scanner understand the structure and behavior of your API, ensuring a thorough and comprehensive security test.

  • Postman Collection: Drag and drop your Postman Collection file into the provided field. This file will outline the specific requests, endpoints, and workflows your API uses.

  • Postman Environments: If applicable, upload your Postman Environment files. These files help configure the testing environment, whether it’s for development, staging, or production.

  • OpenAPI Document (Optional): You can also upload an OpenAPI specification file. This document provides a detailed map of your API’s endpoints, making the testing process even more precise and effective.

4. API Auth

In this step, you will be configuring the API's authentication.

📄 How to setup Authentication in API targets

image.png

Don’t see a matching authentication option?

If the required authentication method is not available in the drop-down list, you can configure authentication using a Custom Script instead.

image.png

5. Advanced Settings

image.png

The Advanced Settings section allows you to fine-tune how the scanner interacts with your APIs. These options are particularly useful for environments where additional control is required for authentication, routing, or selective scanning.

1. Extra HTTP Headers

You can configure custom HTTP headers that will be attached to every request made by the scanner. This ensures compatibility with infrastructures or services that require additional headers beyond standard authentication.

  • Configuration Fields:

    • HeaderName – The name of the HTTP header.

    • HeaderValue – The value to be set for the header.

  • Use Cases:

    • Cloud API Gateways (e.g., AWS API Gateway, Apigee, Kong, Azure API Gateway): Some gateways require additional headers for routing or tenant identification (e.g., x-api-key, x-tenant-id).

    • WAF/Firewall Bypass Headers: Certain environments enforce security controls via headers (e.g., x-forwarded-for, x-correlation-id) that must be present.

    • Custom Auth Schemes: Some internal services use non-standard header-based authentication (e.g., x-internal-token).

2. URL Exclusion Regex

You can provide regular expressions (regex patterns) that define which URLs should not be scanned by the scanner. This helps avoid unnecessary load or prevents scanning of sensitive or non-relevant endpoints.

  • Use Cases:

    • Health/Readiness Probes: Exclude URLs such as /health, /status, or /metrics that are not meaningful for security scanning.

    • Static Asset Endpoints: Prevent scanning of endpoints serving images, JavaScript, or CSS (e.g., /assets/.*\.(png|jpg|css|js)$).

    • Sensitive Admin Paths: Skip admin consoles or management APIs that should not be scanned in automated mode.

7. Additional Notes

Use this section to provide any extra information that might affect the scanning process or our security engineers focus, including:

  • Special authentication methods or tokens required for access.

  • Rate limiting or throttling details that might affect the number of requests.

  • Specific endpoints that should be prioritized or avoided during the scan.

  • Any known quirks or configurations unique to your API.

8. Complete Setup

After completing the above steps, review your entries and click Complete setup to finalize the API target configuration. Once saved, you can initiate the scan to begin testing your API for vulnerabilities.

For any questions or assistance with the setup process, feel free to reach out to our support team by raising a ticket.