Creating a Collection
A Collection represents the source of your API endpoints and acts as the starting point for both unauthenticated and authenticated API scans. You can use it to scan public (unauthenticated) APIs right away, or later configure authentication for APIs that require it.
Here’s how you can create a collection in ZeroThreat.
Step 1: Create an API Target
First, you need to create a Target that defines the base URL of your API and sets the scan type.
- Go to the Targets section in ZeroThreat and click “Add Target.”
- Enter the Base URL of your API (e.g.,
https://api.example.com).
.png)
- Under Scan Type, select API Scan and choose your preferred Scanning Server.
- Click “Save” to add the target.
Step 2: Add an API Collection to Your Target
Once your target is set up:
- From the ZeroThreat dashboard, select the API target you just created.
- Click on “Add API Collection.”
This opens the Collection Drawer, where you’ll choose how to provide your API source.
.png)
Step 3: Select Your API Source Type
ZeroThreat offers four options for importing your API collection:
| Source Type | Description |
|---|---|
| Swagger File / URL | Upload a Swagger file or provide a public Swagger URL. |
| OpenAPI File | Upload an OpenAPI (OAS) YAML or JSON file. |
| Postman API | Import directly from a Postman collection. |
| HAR File | Upload a HAR (HTTP Archive) file from captured API traffic. |
In this example, let’s choose Swagger File:
- Select Swagger File from the source options.
- Upload your Swagger file or paste the Swagger URL and click Fetch Collection.
.png)
- ZeroThreat will automatically parse the file and list all API endpoints.
Note:
ZeroThreat will only display endpoints that fall within your defined Target URL scope.
This ensures scans are limited to assets you own and control.
Step 4: Review and Configure API Endpoints
After parsing:
- ZeroThreat will show all the API endpoints it found.
- Some endpoints may have missing payloads or empty request bodies. (especially common with incomplete API specs).
Before saving:
- Review the list of endpoints.
- For any endpoint missing payloads or body parameters:
- Provide sample data, payload values, or request bodies where required.
.png)
APIs with missing request data cannot be fully tested. Adding this missing payload makes sure ZeroThreat can properly interact with your endpoints.
.png)
Fill those API requests that have missing values in JSON with proper data. 3. Once everything is configured and reviewed: Click “Save”.
Your collection is now ready to use.
You can proceed to run an Unauthenticated API Scan or, if your APIs require authentication, configure API Authentication settings for this collection.
What’s Next?
Ready to scan? Continue to Unauthenticated API Scan.
Your APIs need authentication to access? Learn how to set up Authenticated API Scans.