API Security Inventory monitors your API traffic to provide visibility into the security posture of your APIs, including:

  • Authentication: Type of authentication used, such as Basic Auth and API key.
  • Public Exposure: Whether the API is processing traffic from the internet.
  • Production status: If the API is running in a production environment.
  • Sensitive data flows: Sensitive data handled by the API and flows between APIs.
  • Attack Exposure: If the endpoint is targeted by attacks (powered by Application Threat Management).
  • Vulnerabilities: If the endpoint contains a vulnerability (powered by Software Composition Analysis).

Using the API Security Inventory you can:

  • See at a glance your publicly exposed endpoints that are not requiring authenticated requests.
  • See at a glance your publicly exposed endpoints that are handling sensitive data, such as payment card numbers.
  • See which endpoints are at risk, and pivot directly into the Threat Monitoring and Protection service for further investigation or response.
API Security Inventory main page


The following library versions are compatible with API Security Inventory. Remote Configuration is required.

TechnologyMinimum versionSupport for sensitive data scanning
Pythonv2.1.6Requests and responses
Javav1.31.0Requests only
PHPv0.98.0Requests and responses
.NET Corev2.42.0Requests and responses
.NET Fxv2.47.0Requests and responses
Rubyv1.15.0Requests only
Golangv1.59.0Requests only
Node.jsv3.51.0, v4.30.0 or v5.6.0Requests and responses

How it works

API Inventory leverages the Datadog tracing library with ASM enabled to gather security metadata about API traffic, including the API schema, types of sensitive data processed, and the authentication scheme.

API Inventory Security uses Remote Configuration to manage and configure scanning rules that detect sensitive data and authentication.

The following risks are calculated for each endpoint:

Service in production

The env tag is checked for patterns that frequently represent non-production environments. For example, if it detects values of dev, alpha, beta, sandbox, or similar, it marks the environment as non-production. All other environments are marked as production.

Service under attack

This risk is detected for API endpoints that have experienced attacks within the last week.

Processing sensitive data

ASM matches known patterns for sensitive data in API requests. If it finds a match, the endpoint is tagged with the type of sensitive data processed.

The matching occurs within your application, and none of the sensitive data is sent to Datadog.

Supported data types

CategoryCategory facetType facet
Canadian social insurance numberspiicanadian_sin
United States social security numberspiius_ssn
UK national insurance numberspiiuk_nin
US vehicle identification numberspiivin
Passport numberspiipassport_number
E-mail addressespiiemail
JSON Web Token (JWT)credentialsjson_web_token
Bearer tokens (found in Authorization headers)credentialsbearer_token
American Express card numberpaymentcard
Diners Club card numberpaymentcard
JCB card numberpaymentcard
Maestro card numberpaymentcard
Mastercard card numberpaymentcard
VISA card numberpaymentcard
IBAN bank account numberpaymentiban

Publicly accessible

Datadog marks an endpoint as public if the client IP address is outside these ranges:


See Configuring a client IP header for more information on the required library configuration.

Unauthenticated endpoint

Authentication is determined by:

  • The presence of Authorization, Token or X-Api-Key headers.
  • The presence of a user ID within the trace (for example, the @usr.id APM attribute).
  • The request has responded with a 401 or 403 status code.

Contains exploitable vulnerabilities

This risk is determined by Software Composition Analysis for the service hosting the endpoint.

Performance impact

By default, API Security Inventory evaluates every tenth request (10% sample rate).

Further reading

Additional helpful documentation, links, and articles: