Detected API details

If you want to scrutinize a specific entry in the detected API list, expand it to view more granular data.

Once you expand an entry, a panel with the following tabs appears:

Overview. Shows available data since the API was first seen in five sub-categories:

  • Sampled traffic. The number of detected requests and unique IP addresses that sent requests to the API. Also shows the date when the API was last seen.
  • HTTP method. The number of detected GET, PUT, POST, OPTIONS, and DELETE requests the API received.
  • Response codes. The number of detected API responses for each status code group.
  • User agents. The number of detected requests sent through a browser and using a mobile device. For details on how user agent detections work, see User agents section below.
  • Clients with bad reputation. The percentage of bad reputation clients in each Client Reputation category.

Resource paths. Shows all detected resource paths included in requests to the API. The resource paths may include wildcards. This data can help you set up resources to protect during API registration.

Hostnames. For APIs with wildcarded hostnames, shows a sample of detected hostnames used in requests to the API.

User agents

API Discovery categorizes incoming requests based on two major user agent types: browser and mobile. It counts requests of each type to help you understand how API consumers typically reach an API. To get more insight into the categorization process, learn about the contents of the User-Agent header API Discovery takes into account.


The User-Agent header is controlled by the client and may be empty or contain inaccurate data. Keep this in mind and treat the user agent detection data as useful guidance rather than fully precise information.


API Discovery checks a request’s User-Agent header for values starting with Mozilla or Opera. If such values are present, the browser user agent count goes up.


Mozilla may indicate numerous browser types including Firefox, Google Chrome, Safari, Blink, Microsoft Edge, and Internet Explorer.

Mobile user agents

API Discovery checks a request’s User-Agent header for common mobile operating systems, manufacturer names and models, and HTTP libraries commonly used by mobile apps, such as OkHttp, Vungle, or Airship. If values that contain such details are present, the mobile user agent count goes up.

User agent count

A single request may result in detection of multiple User-Agent header values. For example, an API consumer may send a request from Google Chrome by using an Android device. In such case, API Discovery increments both the browser and mobile user agent counts.

If a request doesn’t include the User-Agent header, or the header is empty, the browser and mobile user agent counts remain unchanged.