Application and API onboarding

Overview

API onboarding is a crucial step in managing and securing your API ecosystem. Using OpenAPI specifications, you can efficiently onboard applications while ensuring consistency, documentation, and security compliance. This section provides guidance on how to onboard applications and APIs using OpenAPI specs, making the process structured and repeatable.

What You'll Learn

• How to onboard an application using an OpenAPI spec
• Steps to ensure API specifications are properly defined
• Best practices for integrating API security during onboarding

Getting Started with API Onboarding

Understanding OpenAPI Specifications

An OpenAPI Specification (OAS) provides a standardized format to describe your API, enabling:

• Automated API documentation
• Consistent API definitions across teams
• Simplified integration with security and testing tools

tip

Validate your OpenAPI spec using tools like Swagger Editor to catch errors before onboarding.

If your API already has an OpenAPI spec (.json or .yaml), you can use it for a streamlined onboarding process.

Access the API Onboarding Section

• Navigate to the API Management dashboard.
• Click "New Application" to begin onboarding.

Select the OpenAPI Specification Method

• Choose "Onboard using OpenAPI Spec" from the available options.
• Click on the "Next" button.

Enter Application Details

• Provide an application name.

• Click on "Browse Files" and Upload the API’s OpenAPI file

• After uploadint the document, click on the "Continue" button.

  

Review and Confirm

• Validate that the Instance and click on "Onboard" button.

  

Complete the Onboarding Process

• Finalize the onboarding and view your API in the dashboard.

  

Once your API is onboarded, you can:

• Test API security to identify vulnerabilities
• Enable monitoring to track API usage and performance
• Integrate with API gateways for traffic management and security enforcement

In application details page, you can find the application name, reachability status, scan status, and the Instance URL of your application"

Update Application Name

• Click the Pencil icon next to the application name to edit and update it.

note

Users with View permissions cannot update shared application name

Add/update instance name

• Click the Pencil icon next to Add instance name to edit and update it.

note

Users with View permissions cannot add/update instance name in shared application

Edit instance URL

• Click the Pencil icon next to Instance URL to edit and update it.

• Now you will see, Edit Instance URL form. In that form you can edit the instance URL, add headers specific to the instance and click on "Test Reachability" button to initiate the reachability testing

• After reachability test, you can observe the instance url changes in the screen along with the reachability status.

note

Users with View permissions cannot Edit instance URL in shared application

Adding instance URL

• Click the Plus (+) icon next to Instance URL to Add new instance url.

• In the Form, enter Instance URl, instance name which is optional and click on the "Add" button.

  

• After that you can observe the newly added instance url in the screen along with its reachability status.

  

  note

  Users with View permissions cannot add instance URL in shared application

Delete Instance

• Click the "delete" icon next to Instance URL to delete the instance url.

note

Users with View permissions cannot delete instance in shared application

Endpoints

The Endpoints tab, helps you explore the full composition of your application, giving you clarity on every API endpoint in use. Instantly identify where sensitive data is being handled, monitor authentication coverage, and detect unauthenticated or high-risk endpoints.

With interactive dashboards and detailed endpoint reports, you can:

• Classify APIs by sensitivity level (Critical, High, Medium, Low)

• Track authentication status across all endpoints

• Analyze API methods (GET, POST, PUT, DELETE, PATCH) at a glance

Endpoint Parameter Configration

To change or customize request parameters, headers, query parameters for any endpoint

• Click on the seleted Endpoint

• To change Parameter configuration, click Pencil icon adjacent to the parameter.

• Enter the details

• Click Update

note

user role with View permissions can not change parameter configuration in shared application.

• To change Request body, click Update Body with an example.

• Enter the sample data and Click Update

• Check updated request body

note

user role with View permissions can not change request body in shared application.

• To Add Query Parameter, click Add Query Parameters.

• Enter the data:

  • Name – The key of the query parameter (e.g., status, userId).
  • Value – The assigned value for the parameter.
  • Sensitivity – Classifies the parameter based on data sensitivity (Critical, High, Medium, Low).
  • Type – Defines the data type of the parameter (string, number, boolean, etc.).
  • Format – Specifies the expected format (e.g., email, UUID, date-time).
  • Required – Indicates whether this parameter is mandatory for the request.

• Click Save

• Check newly added Parameter

note

user role with View permissions can not add,edit and delete query parameter in shared application.

• To Add Header, click Add Header.

• Enter the data:

  • Name – The header key.
  • Value – The value assigned to the header.
  • Sensitivity – Classifies the header based on data sensitivity (Critical, High, Medium, Low).
  • Required – Indicates whether this header must be included in the request..

• Click Save

• Check newly added header

note

user role with View permissions can not add, edit and delete header in shared application.

Dry Run

The Dry Run feature validates an API endpoint’s readiness before running a full security scan. Instead of immediately executing deep security tests, a Dry Run sends a lightweight request using the configured method, headers, parameters, and body, and then displays the actual request and response returned by the API.

This helps customers understand how well each endpoint is prepared for security coverage and provides a path to progressively improve it.

To execute Dry run for the endpoint

1. Click Dry run

2. Select Authentication

3. Click Start Dry Run

4. Review the Dry Run Results. The Test Results panel displays the full request and response details returned by the API, helping you verify the endpoint’s readiness and configuration before running a full security scan.

   

Add Endpoint

The Add Endpoint allows you to manually register new API endpoints for an existing application. This is useful when certain endpoints are not automatically discovered or need to be explicitly defined for monitoring.

• Click Add Endpoint

• Select HTTP Method

• Enter Endpoint

• Click Save Endpoint

note

user role with View permissions can not add endpoints in shared application.

Download OAS

Download OAS allows you to download the OpenAPI Specification (OAS) for any application directly from the platform. It allows quick access to the exact specification used during onboarding.

How it works

1. Applications onboarded with an OAS will provide the original specification for download.

2. Applications onboarded using a Postman Collection are automatically converted to an OAS during onboarding, and this converted version is available for download.

3. If an application's OAS has been reloaded multiple times, the system will always provide the latest version currently associated with the application.

• Click Download OAS

  

Instance level Parameter configuration

To update parameter values for the application at the instance level

1. Click on App Config
2. Select Parameter Configration
3. It displays all parameters related to the selected instance.
4. To change Parameter value, click the Pencil icon.
5. Change the value
6. Click Update

Bulk Upload & Download of Instance-Level Parameter Values

The Params option allows you bulk Upload & Download of Instance-Level Parameter Values.

1. Bulk upload instance-level parameters

   • Click Params

   • Select Upload

   • In the Upload Parameters window Add the file and Click Upload File

     

   • Check the Updated parameter values

2. Download existing instance-level parameter values

   It helps you preserve the parameter configuration before reloading a spec — particularly useful when choosing not to retain parameters during a spec reload.

   • Click Params

   • Select Download

note

user role with View permissions can not change parameter configuration in shared application.

Security-coverage

Security Coverage provides a complete view of the tests safeguarding your APIs.

When you register an application, our platform automatically generates a custom suite of security tests aligned with the latest OWASP API Security Top 10 standards.

With Security Coverage, you can:

• View the full suite of generated tests for your application

• Understand the attack vectors your APIs are protected against

• Track categories such as Authorization, Authentication, and Token Security

• Detect risks like Broken Object Level Authorization (BOLA), Broken Authentication, Tampered Tokens ... and so on

Vulnerabilities

After scanning endpoints, in Vulnerabilities tab you can find the detected security risks with detailed evidence and remediation steps to help you fix issues faster.

When scans detect potential security risks, our platform automatically generates detailed Vulnerability reports. Each entry includes:

• Specific details of the vulnerability

• Evidence of detection for validation

• Remediation steps to guide quick fixes

With clear severity levels, CVSS scores, and resolution status, you can prioritize and address issues efficiently

Threat Detection

Threat Detections show vulnerability types across your APIs and highlight endpoints affected by the same threats.

• Identify vulnerability types present in your APIs

• See which endpoints share the same vulnerability patterns

• Understand how threats propagate across your application

Manage Application Users

This option allows you to add users to the application using their email addresses, assign appropriate access permissions, and remove users when needed.

• Click on "Administration" menu icon in the top bar.

  

• From the drop down select "Manage Application Users"

  

• Click Add Users

  

• Select the users

  

• Click Add Selected Users

  

• Review newly added users

  

  Remove users from the application

  • From the drop down select "Manage Application Users"

    

  • Check the users who have access to the application

    

  • Select the user

    

  • Click Remove Selected Users

    

  • Review the users list.

    

note

• Users with View permissions cannot share a shared application.

Manage Teams Access

As the admin or owner of the application, you can use this option to share the application with a specific team. Team members will then be able to access the application and perform activities based on their permission. You can also remove permissions for the selected team.

• Click on "Administration" menu icon in the top bar.

• From the drop down menu, select Manage Teams Access

• Click Add Teams

• Select the team.

• Click Grant Access To Selected Teams.

• Team added to the application successfully.

Removing Teams Access

• Click on "Administration" menu icon in the top bar.

• From the drop down menu, select Manage Teams Access

• Check the teams that have access to the application

• Select the team.

• Click Remove Selected Teams.

• Successfully removed the team from this application.

Delete Application

• Click the "Delete" icon in the top menu bar to remove the application.

note

Users with View permissions cannot delete shared application

tip

After onboarding, ensure the API is secured by enabling authentication mechanisms such as OAuth or API keys.

For a step-by-step guide, check out:

• How to Onboard an Application Using OpenAPI Spec
• By following these structured steps, you can efficiently onboard APIs while maintaining high standards of security and documentation.