1. Home
2. Solutions
3. Tutorials

When APIs accumulate over time across multiple teams and projects, your organization can lose track of what's actually running in production. Shadow APIs are endpoints that were never officially documented or approved and can expose sensitive data. Deprecated endpoints that should have been retired months ago continue accepting traffic. Test APIs accidentally left running in production create security vulnerabilities. New or changed endpoints can appear from unreviewed code generated by AI coding assistants. Without a clear picture of your API attack surface, you can't properly secure it.

Fastly's API Discovery and Inventory features let you conduct systematic security audits that identify the APIs running through your services, categorize them by intent and risk level, and create action plans for addressing security concerns. In this tutorial, you'll perform a comprehensive API security audit that gives you complete visibility into your API landscape and flags potential security issues.

By the end of this tutorial, you'll have a documented security posture for your APIs, with legitimate endpoints clearly identified and concerning APIs flagged for investigation or mitigation, giving you the foundation for ongoing API security monitoring.

Prerequisites

To follow along with the tutorial, make sure you have API Discovery enabled on your service with at least 24-48 hours of collected traffic. For best results, conduct your audit while traffic continues to flow through your service.

Review discovered APIs

Before you can audit your APIs, you need to see what's actually running. API Discovery has been passively observing traffic flowing through your service, capturing every API call without requiring any configuration changes. This initial review gives you your first complete view of the API landscape, often revealing endpoints you didn't know existed or had forgotten about.

1. Log in to the Fastly control panel.
2. From the Home page, select the service you want to audit.
3. Go to Security > API Discovery.
4. Review the list of APIs that have been discovered. Note the domains, URL paths, methods, requests per second (RPS), and timestamps.
5. (Optional) Click Export to download the full list as a CSV for reference. This can be helpful to share with team leads or to reference as you work through the audit offline.

As you review the discovered APIs, you'll likely recognize some immediately. These are the external-facing APIs your team actively maintains and monitors. Others might be unfamiliar or surprising. You might see deprecated v1 endpoints that should have been retired, test APIs that somehow made it to production, or shadow APIs that were never formally documented. Don't worry about categorizing everything yet. Right now, your goal is simply to understand the scope of what you're working with.

Identify and categorize expected APIs

Now that you've reviewed what's running, it's time to make deliberate decisions about each API. Think of this as conducting triage: as you work through each discovered API, you'll decide whether to add it to inventory for monitoring, ignore it, or flag it for mitigation. Compare the discovered APIs against your official API documentation or internal records.

Establish a tagging strategy

Before you start categorizing your APIs, establish a tagging strategy that will help you organize and filter your inventory effectively. Tags are labels you can apply to APIs to group them by security concern, team ownership, functional area, or any criteria that suits your audit. Each tag can have a description that explains its purpose.

Consider the kinds of categories that will be most useful for your audit. Common tagging approaches for security audits include:

• Security status - Track API security posture (e.g., "Needs Investigation", "Security Risk", "Approved")
• Team ownership - Identify responsible teams for follow-up (e.g., "Platform Team", "Payments Team")
• Action items - Flag APIs requiring specific actions (e.g., "To Be Deprecated", "Needs Documentation")

You can create tags as you need them during the audit, or set up core tags in advance. To create a tag:

1. Navigate to Security > API Discovery in the Fastly control panel.
2. Click the Tags tab.
3. Click Create tag.
4. In the Name field, enter a descriptive name for the tag you're creating.
5. In the Description field, enter a description of the tag you're creating.
6. Click Create.

For more details about tags, see managing inventory tags.

Add legitimate APIs to inventory

You can inventory APIs you want to actively monitor. These are your legitimate production endpoints that should be documented, tracked, and included in your ongoing security posture. When you inventory an API, you're saying "this is supposed to be here, and I want to know if anything about it changes."

For APIs you want to actively monitor:

1. Navigate to Security > API Discovery in the Fastly control panel.
2. Click the Discovery tab.
3. Do one of the following to add APIs to inventory:
   • Add a single API by selecting Add to inventory from the menu to the right of the API you want to monitor.
   • Add multiple APIs by clicking the checkbox to the left of the discovered APIs and then clicking Add to inventory.
4. Click the Inventory tab.
5. Find the API you just added and click View. The Operation details page appears.
6. Click Edit operation.
7. In the Description field, explain what the API does.
8. From the Tag field, select or enter the appropriate tags to apply to this API.
9. Click Save.
10. Repeat the edit process for each API you added to inventory.

Ignore low-priority APIs

You can ignore APIs you recognize but don't need to track closely. Some endpoints don't warrant the overhead of active monitoring even though they're legitimate. For example, high-frequency health checks that get pinged every second would clutter your inventory without adding security value. Deprecated APIs that can't be fully removed due to backward compatibility requirements are known quantities that don't need investigation. Development or staging APIs that aren't ready for formal security review can be ignored until they're production-ready. When you ignore an API, you're saying "I know what this is, and I'm making a deliberate choice not to monitor it closely."

For APIs you recognize but don't need to track:

1. Navigate to Security > API Discovery in the Fastly control panel.
2. Click the Discovery tab.
3. Review the list of discovered APIs.
4. Select Ignore operation from the menu to the right of the API you want to ignore.

You can always move ignored APIs to your inventory later if your monitoring needs change.

Flag unexpected or concerning APIs

Not every API you discover will be expected or legitimate. This is where security audits prove their value by identifying the shadow APIs, test endpoints, and deprecated services that shouldn't be running but are.

As you review your discovered APIs, flag anything that raises security concerns. APIs that don't appear in your official documentation are immediate red flags. Deprecated endpoints that were supposed to be retired months ago but are still receiving traffic need investigation. Test or staging APIs accidentally left running in production create vulnerabilities. Unknown endpoints with no clear purpose or ownership warrant scrutiny.

For any APIs that aren't in your official documentation or that raise security concerns:

1. Navigate to Security > API Discovery in the Fastly control panel.
2. Click the Discovery tab.
3. Select Add to inventory from the menu to the right of the suspicious API.
4. Click the Inventory tab.
5. Find the API you just added and click View to the right of the API. The Operation details page appears.
6. Click Edit operation.
7. From the Tag field, select or enter a tag such as Needs Investigation to classify the security concern.
8. In the Description field, document why this API is concerning. For example, Deprecated v1 endpoint - should be blocked or Test API found in production environment or Unknown endpoint - no documentation exists.
9. Click Save.

The descriptions and tags you add make it easier for security teams to understand the issue and take action, and ensure the right people can filter and find these problematic APIs for investigation.

Generate your audit report

Once you've categorized your APIs, you have a complete picture of your API security posture. Now it's time to document that picture in a format you can share with security teams, management, or use for ongoing monitoring. The inventory you've built becomes your audit report, showing both your approved API surface and the security concerns that need attention.

Exporting your inventory creates a snapshot of your current API landscape at this moment in time. This CSV file includes all the context you've added during the audit: which APIs are in inventory, which need investigation, the notes explaining security concerns, and the tags organizing everything. You can share this with stakeholders, import it into other security tools, or keep it as a baseline for comparing future audits.

To generate your audit report:

1. Navigate to Security > API Discovery in the Fastly control panel.
2. Click the Inventory tab.
3. (Optional) Use the Tag filter to view specific categories. For example, filter by Needs Investigation to see only security concerns, or view all tags to see your complete API surface.
4. Click Export to download your complete inventory as a CSV file.

The exported report includes domains, paths, methods, descriptions, tags, and all the documentation you added during your audit. You now have a comprehensive record of your API security audit that you can reference, share, and use as a baseline for future reviews.

Create your action plan

Your audit has identified security concerns and documented your legitimate API surface, but the real work begins now. An audit without follow-through is just documentation. The APIs you've flagged for mitigation require deliberate action, and your inventoried APIs need ongoing monitoring to ensure they remain secure.

Start with your APIs flagged for mitigation. For each one, you need to make a decision: block it, deprecate it gracefully, or officially document it and move it to your monitored inventory. APIs that are truly security risks should be blocked through WAF rules or other access controls. APIs that are legitimate but undocumented might need to be formally approved and added to your inventory for ongoing monitoring. Deprecated endpoints might need a removal timeline with clear communication to any teams or clients still using them.

Your inventoried APIs need attention too. Just because an API is in your inventory doesn't mean it's properly secured. Review your inventoried endpoints to ensure they have appropriate authentication, rate limiting, and other security controls in place. Look for gaps in coverage where security policies might be inconsistent.

Finally, make this audit process repeatable. API landscapes change constantly. New endpoints get deployed, deprecated APIs linger longer than planned, and shadow APIs appear as teams build without coordination. Schedule regular audits (monthly or quarterly depending on your release velocity) to review new discoveries in API Discovery. Check your inventory periodically to update descriptions, verify team ownership is still accurate, and confirm deprecated APIs have actually been retired.

Your action items:

• For APIs flagged for mitigation, work with the relevant teams to determine whether each API should be blocked, deprecated with a timeline, or officially documented and added to inventory for monitoring.
• For inventoried APIs, verify they all have proper security controls in place such as authentication, rate limiting, and access policies.
• Set up recurring audits by scheduling time (monthly or quarterly) to review new APIs in Discovery and validate your inventory remains current.

What's next

• Continue monitoring the discovered APIs to catch new APIs as they're being called through your service.
• Review your inventory regularly to keep your documentation current.
• Regularly review your service's Event log to track API Inventory changes.