APIsec BOLT

Discover APIs from browser traffic and auto-generate OpenAPI specs.

APIsec BOLT automatically discovers and security-tests APIs by capturing real application traffic directly from your browser—without proxies, agents, or configuration. As you interact with an application, BOLT identifies API endpoints, detects security vulnerabilities in real time, and provides a streamlined path to analyze and test those APIs using APIsec.ai. BOLT converts real runtime behavior into accurate API definitions and actionable security findings, eliminating guesswork and accelerating documentation, onboarding, and security workflows. ⸻ Key Capabilities 1. Automatic capture of application traffic BOLT captures API calls directly from your active browser tab. No proxies or traffic redirection required. Start capture and browse normally; BOLT records API interactions on the fly. 2. Real-time threat detection As traffic is captured, BOLT automatically surfaces BOLA, RBAC misconfiguration, and Mass Assignment findings — no manual trigger needed. A live findings banner alerts you to issues as they appear, with grade badges and expandable threat details in the APIs tab. 3. Automatic identification of API endpoints Captured traffic is analyzed to identify API methods, paths, parameters, hostnames, and request/response metadata — producing a reliable API inventory based on how your application actually behaves. 4. Auth token harvesting BOLT automatically detects and catalogs auth tokens from captured traffic — JWT, API keys, Basic auth, and cookies — in a dedicated Auth tab. Your token inventory builds itself as you browse. 5. Request editing and replay The Manipulator tab lets you edit and resend any captured request. A smart param picker surfaces suggestions from all captured traffic, with editable path parameters for IDOR and BOLA testing. 6. Automatic generation of OpenAPI (Swagger) specifications BOLT converts captured API calls into structured OpenAPI definitions. Use the OAS picker to select exactly which APIs to export for documentation, modeling, or integration with APIsec.ai's testing workflows. 7. APIsec.ai–powered API security analysis API definitions discovered by BOLT can be analyzed using APIsec.ai's automated security engine, covering authentication and authorization issues, BOLA/IDOR, logic flaws, injection risks, misconfigurations, and complex multi-step attack paths. 8. One-click onboarding to APIsec.ai From BOLT, send API definitions or captured request data to APIsec.ai to initiate onboarding or run automated test generation — including advanced scenarios that traditionally require manual effort or specialized expertise. ⸻ How It Works 1. Open a web application and launch APIsec BOLT from the Chrome or Firefox toolbar. 2. Start capture to automatically collect API traffic from your active browser tab. 3. Review discovered endpoints, real-time threat findings, and captured auth tokens. 4. Use the Manipulator to edit and replay requests, or export auto-generated OpenAPI specs. 5. Send APIs to APIsec.ai to onboard or run automated security analysis. ⸻ Non-intrusive and privacy-respecting by design APIsec BOLT operates completely on the user's local machine. All traffic capture, API identification, threat detection, and OpenAPI generation occur locally within the browser extension. BOLT does not intercept, modify, or block network traffic. It passively observes requests from the active browser tab solely for the purpose of API discovery, documentation, and security analysis. Transmission of API data to APIsec.ai occurs only when the user explicitly initiates it. No data is sent externally without user action.