Research Academy
My account Customers About Blog Careers Legal Contact Resellers

DAST

Scanning APIs

  • Last updated: January 29, 2026

  • Read time: 2 Minutes

This section explains how to create sites to scan specific APIs in Burp Suite DAST. To scan an API, you need to provide an API definition and any required authentication.

Note

You can add as many APIs as you like to Burp Suite DAST but for scans to work correctly, you need to configure your network and firewall settings. For more information, see Configuring network and firewall settings for a site.

Adding API definitions

You can add API definitions by uploading a file or providing a URL. The supported formats are:

  • Postman Collection
  • OpenAPI definition file in JSON or YAML format
  • SOAP WSDL

For Postman Collections, you can also upload a Postman environment file to automatically merge environment variables with your collection. This removes the need to manually merge variables and speeds up your setup process.

You can also scan GraphQL APIs, using introspection. To scan a GraphQL API, create a site for a web app and provide the URL for the GraphQL API. Make sure introspection is switched on. For more information, see Crawling GraphQL APIs.

Note

We fully support OpenAPI 3.1 and provisionally support OpenAPI 3.2.

Choosing how to add APIs

You can add API sites individually or in bulk:

  • Add a single API - Create one API site at a time by uploading a file or providing a URL. Use this approach when you need to configure each API individually or when onboarding a small number of APIs.

  • Bulk upload APIs - Create multiple API sites in one operation. Use this approach when onboarding large numbers of APIs with shared configuration settings. This speeds up the process and helps ensure consistency across your API estate.

For more information, see:

Managing authentication for API sites

When you add an API definition, Burp Suite DAST automatically detects authentication schemes. You don't have to provide credentials immediately.

To add authentication credentials after creating a site:

  1. Go to Sites and select your API site.

  2. Select the Details tab and click Edit.

  3. Under API definition, select the Authentication tab. Add any credentials that are shown as missing.

  4. Click Save.

Optional settings for your API

When you add a new API site, you can configure the following additional settings:

  • Scan configuration

  • Connections

  • Headers and cookies

  • Extensions

  • Scanning pool

  • Notifications

For more information on configuring the optional settings for your API, see Configuring site settings.

Related pages