A Collection represents the source of your API endpoints and acts as the starting point for both unauthenticated and authenticated API scans. You can use it to scan public (unauthenticated) APIs right away, or later configure authentication for APIs that require it.
Here’s how you can create a collection in ZeroThreat.
First, you need to create a Target that defines the base URL of your API and sets the scan type.
https://api.example.com)..png)
Once your target is set up:
) button. This opens the Configure API Collection drawer, where you’ll choose your API Collection source method..png)
ZeroThreat offers multiple methods to create or import your API collection. In Step 3, choose any one method based on how your APIs are available, such as uploading an existing collection, importing from a cloud source, or recording API requests using ZeroThreat API Recorder.
| Source Type | Description |
|---|---|
| Swagger File / URL | Upload a Swagger file or provide a public Swagger URL. |
| OpenAPI File | Upload an OpenAPI (OAS) YAML or JSON file. |
| Postman API | Import directly from a Postman collection. |
| HAR File | Upload a HAR (HTTP Archive) file from captured API traffic. |
| RAML | Upload RAML definitions to import resources and request details for API scan. |
| WADL | Upload WADL service descriptions to import endpoints/operations for API scan. |
In this example, let’s choose the Swagger Source method:
.png)
In addition to uploading files or providing URLs, ZeroThreat supports creating Collections directly from your cloud API management platforms. This is useful if your APIs are already published and versioned in cloud-native services.
ZeroThreat supports five cloud integrations. Each method lets you authenticate against your cloud provider, fetch available APIs, and import them directly into ZeroThreat for scanning. Below are the steps to fetch API collection from each of them.
If your APIs are managed in Azure API Management (APIM), you can directly import them into ZeroThreat as a Collection for scanning.
Steps to Import API collection from Azure APIM
.png)
.png)
.png)
Collection Configuration
zt-api-management-v1)..png)
Collection Configuration
) to continue.ZeroThreat will automatically import the chosen APIs into the Collection. You can optionally enable Auto-fetch option, which refreshes the API definition for any changes daily at 12:00 AM UTC.
If your APIs are managed in MuleSoft Anypoint Platform, you can connect ZeroThreat to your MuleSoft account and import APIs directly as a Collection for scanning.
Steps to Import API Collection from MuleSoft
.png)
.png)
.png)
.png)
) to continue.Your MuleSoft APIs will be added as a Collection in ZeroThreat. You can optionally enable the Auto-fetch option, which refreshes the API definition daily at 12:00 AM UTC to fetch any changes in Anypoint collection.
If you use SwaggerHub for API design and versioning, you can connect your SwaggerHub account to ZeroThreat via an API key and import API collection directly into a ZeroThreat.
Steps to Import API collection from SwaggerHub
.png)
.png)
Broken Crystals).1.0)..png)
) to continue.Your SwaggerHub API will be added as a Collection in ZeroThreat. You can optionally enable Auto-fetch option, which refreshes the API definition for any changes daily at 12:00 AM UTC.
If your APIs are deployed on AWS API Gateway, you can import them directly into ZeroThreat as a Collection for scanning.
Steps to Import API collection from AWS API Gateway:
.png)
.png)
ap-south-1)..png)
) to continue.ZeroThreat will import the API from your AWS API collection and make it available as a Collection. You can optionally enable Auto-fetch option, which refreshes the API definition for any changes daily at 12:00 AM UTC.
your APIs are hosted in Postman Cloud, you can connect your Postman account to ZeroThreat using an API key and directly import your Postman collections for scanning.
Steps to Import API Collection from Postman Cloud
.png)
.png)
.png)
) to continue.Your Postman Cloud APIs will be added as a Collection in ZeroThreat. You can optionally enable the Auto-fetch option, which refreshes the API definition daily at 12:00 AM UTC to fetch any changes in Postman Cloud API Collection.
ZeroThreat API Recorder lets you create an API collection by browsing your web application and capturing the API requests triggered during normal user actions. This is useful when you do not already have an API collection ready, when API inventory is missing, or when new APIs have been added and need to be discovered through frontend workflows. Instead of manually uploading a specification file, you can let ZeroThreat collect in-scope API requests as you interact with the application.
Prerequisite: You must have the ZeroThreat Chrome Extension installed.
.png)
.png)
The Web Application URL is the frontend application where the recorder will open. As you browse the application, ZeroThreat captures API requests that belong to the target scope.
api.example.com and your frontend is hosted on app.example.com, create the target for api.example.com and enter app.example.com as the Web Application URL. The recorder will open the frontend, and API requests made to the target API domain will be collected..png)
.png)
.png)
The captured APIs will be added to the collection and can be used for scanning.
Once the API specification is parsed, you will be able to see all the extracted API endpoints.
.png)
ZeroThreat highlight any endpoints that have missing or empty request bodies, these are commonly found in incomplete API specs. These endpoints will be marked with a Payload Unmapped (
) symbol to help you identify them.
While filling body for such API's is not mandatory to start a scan, it’s highly recommended. Providing sample data in request bodies helps ZeroThreat interact more accurately with your APIs, leading to more effective testing.
(Optional Step) Map Missing Payloads
Click any endpoint marked with the Payload Unmapped (
) icon and provide sample request body data where needed.
.png)
You can also hover over the Collection Analysis (
) button to get an overview of how many endpoints were parsed, and how many of them are missing request bodies.
.png)
When you create a new API Collection on a target where a previous collection already exists, ZeroThreat automatically compares the new collection against the previous one.
If differences are found, the system will display a “Snapshot difference detected” message in the Collection Analysis panel.
This feature helps you:
This helps you keep your collections updated without losing previously configured payloads.
Once you're done reviewing and configuring the endpoints, click Save.
Your collection is now ready to use. You can proceed to run an Unauthenticated API Scan or, if your APIs require authentication, configure API Authentication settings for this collection.
Ready to scan? Continue to Unauthenticated API Scan. Your APIs need authentication to access? Learn how to set up Authenticated API Scans.