Skip to content

How to Use API Discovery

This guide explains how to use Peakhour's API Discovery feature to automatically find, analyze, and secure your API endpoints.

Before you begin: Ensure your domain is actively processing traffic through Peakhour, as API Discovery learns from live requests.

Accessing API Discovery

  1. Navigate to your Domain Dashboard.
  2. In the main navigation, under the "Security" section, click on API Centre > Discovery.

Understanding the API Discovery Dashboard

The dashboard provides a comprehensive list of all API endpoints that Peakhour has automatically detected from your site's traffic.

Key Components:

  • Search and Sort: At the top of the page, you can search for specific endpoints by path and sort the list by various metrics like Path, Method, Total Hits, Error Rate, or Traffic.
  • Endpoint List: Each entry in the list represents a unique combination of an HTTP method and a URL path pattern (e.g., GET /api/users/{id}).

Investigating an Endpoint

Each endpoint in the list is a clickable card that can be expanded to reveal detailed information.

Viewing the Endpoint Header

The header of each card provides a quick summary:

  • HTTP Method: GET, POST, PUT, DELETE, etc., color-coded for easy identification.
  • Path: The normalized URL path, with dynamic parts replaced by placeholders (e.g., {id}).
  • Updated Badge: A badge will appear if the endpoint's schema has been updated within the last 7 days.
  • Action Buttons: Quick links to create Rate Limit or Firewall Rules for this specific endpoint.

Analyzing Endpoint Summary Stats

Below the header, you'll find key performance indicators for the endpoint over the last 24 hours:

  • Hit Rate: The average number of requests per minute.
  • Error Rate: The percentage of requests that resulted in an error.
  • Traffic Rate: The average data transfer rate (e.g., bytes per second).
  • Avg Response: The average size of the response body.

Expanding for Full Details

Click anywhere on an endpoint's card to expand it and view detailed analytics and schema information.

  • Parameters: A list of all discovered request parameters, including:
    • Path Parameters: Dynamic parts of the URL (e.g., {id}).
    • Query Parameters: Parameters found in the query string (e.g., ?limit=10).
    • Details include the parameter's name, type (string, integer), and whether it's required.
  • Endpoint Details:
    • Responses: A list of HTTP status codes observed for this endpoint (e.g., 200, 404, 500).
    • UUID: The unique identifier for the discovered endpoint.
    • Discovered/Updated: Timestamps for when the endpoint was first seen and last updated.
  • Analytics Graphs:
    • Visual charts showing the Error Rate, Hit Rate, Traffic In Rate, and Traffic Out Rate over time.

Taking Action on an Endpoint

From the endpoint details, you can take direct action to secure or manage your API.

Creating a Rate Limit Rule

  1. Click the Rate Limit button in the endpoint header.
  2. A modal will appear to create a new rate limit rule.
  3. The Filter will be pre-populated with a suggested Wirefilter expression to target the specific endpoint (e.g., http.request.uri.path matches "/api/users/*" and http.request.method == "GET").
  4. The modal will also show a recommended rate limit based on observed traffic.
  5. Configure the rate limit settings as needed and save the rule.

Creating a Firewall Rule

  1. Click the Firewall Rule button in the endpoint header.
  2. A modal will appear to create a new firewall rule.
  3. The Filter will be pre-populated with the same suggested expression to target the endpoint.
  4. Configure the firewall action (e.g., deny, challenge) and save the rule.

In the expanded view, you can navigate directly to related logs and events:

  • View in Log Explorer: This link takes you to the Log Explorer with filters pre-applied to show all requests for this endpoint over the last 24 hours.
  • View Firewall Events: This link takes you to the Firewall Events page, filtered to show only security events related to this endpoint's path.