API Endpoint Discovery
Last updated:
Parses all JavaScript on any webpage to extract API endpoints, WebSocket URLs, hardcoded tokens, fetch/XHR calls, form actions, storage keys, cookies, and postMessage origins. Separates 1st-party from 3rd-party APIs, categorizes endpoints (auth, admin, payment, upload), detects frameworks, and filters out documentation URLs. Finds what developers left in client-side code.
Drag to your bookmarks bar:
🔌 Discover APIsRuns on any website — all processing in your browser.
Install the bookmarklet, then use it on any website
API Endpoint Discovery v2
Modern web applications embed API routes, internal paths, and sometimes secrets directly in client-side JavaScript. This tool systematically extracts these from all loaded scripts, revealing the application's hidden attack surface. Unlike basic regex scanners, v2 separates first-party from third-party endpoints, detects HTTP methods from fetch/axios/XHR call patterns, categorizes endpoints by function (auth, admin, payment, upload, webhook), and filters out documentation and CDN URLs that aren't actual API calls.
What It Finds
REST endpoints, GraphQL endpoints, WebSocket URLs, explicit fetch/XHR/axios calls with HTTP methods, form actions, postMessage origins, hardcoded tokens and API keys (Stripe, Google, GitHub, AWS, Slack, SendGrid, OpenAI, Mailgun), cookies, localStorage/sessionStorage keys, and framework detection (React, Vue, Angular, Next.js, Nuxt, jQuery, Svelte, and more). Each endpoint is categorized and annotated with detected methods and parameters.
1st Party vs 3rd Party Separation
Endpoints are classified as first-party (same domain/subdomain) or third-party (external APIs). This eliminates the noise of documentation links (docs.microsoft.com, stackoverflow.com, MDN) appearing as discovered APIs — a common false positive in simpler tools.
- Content Discovery
- Finding hidden or undocumented endpoints. Commercial tools like Burp Suite Pro charge $449/yr for this capability.
🔌 API Endpoint Discovery — FAQ
Can it read third-party scripts?
Only same-origin scripts can be fetched and parsed due to the browser's same-origin policy. However, the tool still detects third-party API URLs referenced in first-party code, and separates them into a dedicated 3rd Party tab.
Why did the old version show documentation URLs as APIs?
The v1 bookmarklet had no origin awareness — it treated every URL with /api/ in the path as an endpoint, including links to MDN docs, Microsoft docs, and Python docs. v2 filters these out using a documentation URL blocklist and separates genuine API calls from reference links.
Does it test the endpoints?
No — it only discovers them. Testing requires manual verification or active scanning tools.
Will it find all API endpoints?
It finds endpoints hardcoded in client-side JavaScript. Server-side-only routes and dynamically generated paths won't appear.
Is finding tokens always a security issue?
Publishable keys (like Stripe pk_live) are designed to be client-side. Secret keys (sk_live, AWS keys) in client code are critical vulnerabilities.
Can I use this for bug bounties?
Yes — discovering undocumented endpoints is a common bug bounty technique. Always follow the program's rules of engagement.