API Discovery

Fastly's API Discovery provides a continuously-updating record of incoming application programming interface (API) requests proxied through Fastly's Edge network. Once enabled, API Discovery surfaces API requests passing through your Fastly Compute and Delivery services, providing visibility into your API attack surface. You can view, search, and download records of API traffic to evaluate your API landscape, monitor changes, and inform attack mitigation efforts.

Prerequisites

To use API Discovery, you must purchase a paid account with a contract for Fastly's services. Once purchased, it can be enabled in the control panel by anyone assigned the role of superuser or engineer.

Limitations and considerations

Keep in mind the following limitations and considerations:

• API traffic and architecture limitations. This product will only discover API traffic and will not discover non-API traffic, such as CDN media assets. It is optimized for aggregating REST APIs. While all HTTP-based API traffic will be observed by the product, the product does not explicitly support architectural patterns other than REST.
• Data processing and normalization. This product aggregates requests by HTTP components (domains, paths, methods) but does not include URL query string parameters or HTTP request body data in its analysis. APIs with dynamic URL components may not appear immediately as the system needs to observe multiple variations to recognize patterns.
• Data observation limitations. This product observes sampled network traffic, not every API call, especially sporadic calls. The interface displays discovered APIs with delays, and timestamp data is estimated based on sampling.
• Security products note. No security product, including those security services offered by Fastly, will detect or prevent all possible attacks or threats. As a subscriber, you should maintain appropriate security controls on all web applications and origins. The use of Fastly's security products does not relieve you of this obligation. As a subscriber, you should test and validate the effectiveness of Fastly's security services to the extent possible prior to deploying these services in production, continuously monitor their performance, and adjust these services as appropriate to address changes in your web applications, origin services, and configurations of the other aspects of your Fastly services.

Billing

Fastly charges for API Discovery based on the volume of requests processed per month. These charges are separate from and do not include charges associated with the Fastly Compute or Delivery services nor with usage of the Fastly Next-Gen WAF. When Fastly DDoS protection is enabled on the service, requests associated with mitigated attacks are excluded from billing.