---
title: Endpoint Scanning
description: >-
  Verify whether discovered API endpoints are publicly accessible and require
  authentication.
breadcrumbs: >-
  Docs > Datadog Security > App and API Protection > API Posture > Endpoint
  Scanning
---

# Endpoint Scanning

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

{% alert level="warning" %}
Endpoint Scanning is in Preview and is subject to change.
{% /alert %}

Endpoint Scanning probes your API endpoints from outside your environment and records their HTTP responses, rather than inferring behavior from observed traffic. The results enrich the [API Inventory](https://docs.datadoghq.com/security/application_security/api_posture/api_inventory.md) with verified authentication and visibility data.

Endpoint Scanning sends only `GET` requests. It does not call `POST`, `PUT`, `PATCH`, or `DELETE` endpoints, and never modifies data on your endpoints.

{% alert level="info" %}
Endpoint Scanning only scans endpoints that AAP discovers from APM traces.
{% /alert %}

## What Endpoint Scanning verifies{% #what-endpoint-scanning-verifies %}

For each scanned endpoint, Datadog records:

- **Authentication status**: Whether the endpoint requires authentication.
- **Public visibility**: Whether the endpoint is reachable without credentials.
- **HTTP response status**: The status code returned by the endpoint.
- **Last evaluation timestamp**: When the endpoint was last scanned.

Use this information to prioritize exposed endpoints, confirm whether important APIs enforce authentication, and investigate API findings with stronger evidence about how the endpoint behaves.

## Enable Endpoint Scanning{% #enable-endpoint-scanning %}

Endpoint Scanning is off by default. To enable it:

1. In App and API Protection settings, go to [API Security Testing](https://app.datadoghq.com/security/configuration/asm/api-security-testing).
1. Toggle **Enable Endpoint Scanning** on.

After you enable it, Datadog scans eligible endpoints in the background in batches. Endpoints are retested approximately every seven days.