Finding Hidden APIs Step by Step for Beginners 
(AKA: How to Find Hidden APIs and Unlock Whatโs Not on the Menu
)
One-Line Flow: Press F12 โ Watch websites talk to their kitchen โ Find the secret menu items โ Go deeper with forgotten files, time travel tricks, and phone app snooping.
What Even Is an API?
Think of it like this:
When you use Instagram, you see pretty pictures and buttons. But behind that, Instagram is just sending data back and forth โ like a waiter taking orders to the kitchen.
The API is the waiter.
And sometimesโฆ the waiter will give you stuff thatโs not on the menu. ![]()
๐ Wait, Explain It Like I'm 5 (The Pizza Shop Thing)
Imagine a pizza shop:
- The menu = what they WANT you to see
- The kitchen = where the real stuff happens
- The API = the back door where employees go in and out
Most people order from the menu. But if you know about the back door, you can sometimesโฆ see what else is cooking.
Thatโs what โfinding hidden APIsโ means. Youโre not breaking in. Youโre just using the employee entrance.
๐ฐ Level 1: The 'I Have Zero Skills But I Want In' Starter Method โ Literally Just Press F12
Step 1: Open any website
Step 2: Right-click โ โInspectโ (or press F12)
Step 3: Click the โNetworkโ tab at the top
Step 4: Click around the website
Step 5: Watch the magic ![]()
Youโll see a bunch of stuff appearing. Look for things that say โXHRโ or โFetchโ โ those are the website talking to its kitchen.
๐ฌ Okay But What Am I Actually Looking At? (Don't Panic, It's Easy)
When you filter by XHR/Fetch, youโll see requests like:
api/users/profile
api/posts/feed
graphql
Click on any of these. Look at the โResponseโ tab.
Thatโs the raw data. No pretty interface. Justโฆ everything.
Sometimes youโll find data they didnโt mean to show you. Old features. Hidden info. The good stuff.
This GitHub repo is literally a free course on finding hidden APIs. Not tools. Not a list. An actual methodology for discovering what websites are hiding.
๐ฎ Level 2: GraphQL โ That Weird Thing That Gives You EVERYTHING If You Ask Nicely
Your Network tab shows XHR/Fetch. But in 2025, the real treasure is GraphQL.
Look for requests going to /graphql endpoints. If you find one, try this in your browser console or Postman:
{__schema{queryType{fields{name}}}}
If it works? You just downloaded the entire API blueprint โ every query, every mutation, every field. Itโs like the restaurant handing you the recipe book.
๐ต๏ธ They Blocked It? Lol No They Didn't โ Here's How They Messed Up
Companies think theyโre smart by blocking introspection. But they mess it up constantly.
Try these bypasses:
- Add a newline:
{__schema\n{queryType{name}}} - Use GET instead of POST
- URL-encode the query
- Add spaces:
{ __schema { queryType { name } } }
When itโs actually locked down:
Use Clairvoyance โ it rebuilds schemas by exploiting error messages. When you type a wrong field, Apollo says stuff like Did you mean 'userPassword'?
Yeah. It literally tells you what fields exist. Thanks, Apollo.
๐บ๏ธ Level 3: Source Maps โ Devs Accidentally Left The Answer Key In The Exam Room
This is criminally underrated.
When devs build websites, they compress JavaScript into unreadable garbage. But sometimes they leave behind .map files โ which reverse the compression.
Check if they exist:
main.js โ main.js.map
bundle.js โ bundle.js.map
Just add .map to any JS file URL and see what happens.
๐ Holy Crap What Can I Actually Find In These Things?
If exposed, you get:
- Original, un-minified source code โ readable variable names, comments, everything
- Hardcoded API keys and tokens (yes, including Stripe secrets)
- Hidden admin endpoints the UI doesnโt show
- Internal routes devs thought were private
Google dork to find exposed maps:
ext:map intext:webpack intext:react -site:github.com
Tools:
- sourcemapper โ extracts full source trees
source-map-explorer(npm) โ visualizes whatโs inside
Real case: Security researchers found hardcoded Stripe API secret keys through source maps. Enabled unauthorized payments. Oops.
โฐ Level 4: Time Travel Recon โ Old APIs Never Really Die, They Just Hide
APIs that existed years ago might still work. Companies update their docs but forget to actually kill the old endpoints.
The Wayback Machine remembers everything.
๐ ๏ธ Tools That Do The Time Traveling For You (Just Copy-Paste)
gau โ pulls URLs from Wayback Machine, Common Crawl, AlienVault
echo "target.com" | gau | grep -E "api|v1|v2|graphql" | sort -u
waybackurls โ raw Wayback scraping
echo "target.com" | waybackurls
waymore โ Wayback + CommonCrawl + URLScan + VirusTotal combined
What youโre looking for:
Found /api/v1/admin/debug that was removed from docs in 2021 but still responds with 200 in 2025? Thatโs your entry point.
๐ Level 5: Swagger Files โ When Companies Upload Their Own Cheat Codes By Accident
Companies accidentally ship their full API documentation publicly. Itโs literally a map of every endpoint.
Common locations to check:
/swagger.json
/openapi.json
/swagger/v1/swagger.json
/api-docs
/api/v1/docs
/swagger-ui.html
/.well-known/openapi.json
Justโฆ try them. Youโd be surprised.
๐จ Tools That Hunt Swagger Files While You Grab Coffee
Autoswagger โ auto-discovers and tests OpenAPI endpoints
APIFuzzer โ once you have the spec, fuzz every endpoint
Kiterunner โ bruteforces API routes using smart wordlists
kr scan https://target.com/api -w routes-large.kite
๐ Level 6: JavaScript Mining โ The Code Already Contains Every Secret, You Just Gotta Ctrl+F
The Network tab shows active calls. But the JavaScript files contain all possible endpoints โ including ones the UI never uses.
๐ What To Search For + Tools That Do It Automatically
What to search for in JS files:
/api/
/v1/
/internal/
/admin/
/debug/
"Authorization"
"Bearer"
"apiKey"
Tools that do this automatically:
- LinkFinder โ extracts endpoints from JS
- JSFScan โ full JS recon suite
- Katana with
-jcflag (JavaScript crawl)
katana -u "https://target.com" -jc -o js_endpoints.txt
๐ฑ Level 7: Mobile Apps โ Web Got Smarter, But Phone Apps Are Still Snitching Hard
Web apps have gotten better at hiding stuff. Mobile apps? Still a disaster.
๐ฒ The Step-By-Step 'Intercept Everything Your Phone Says' Method
The basic flow:
- Get the APK (Android) or IPA (iOS)
- Set up mitmproxy to intercept traffic
- Use Frida to bypass certificate pinning
- Watch every API call the app makes
Certificate pinning bypass scripts:
httptoolkit/frida-interception-and-unpinning
Static analysis (no interception needed):
Decompile the APK with jadx or apktool, then grep:
grep -ri "api" ./
grep -ri "endpoint" ./
grep -ri "secret" ./
Flutter apps are especially leaky โ most devs forget to disable debug mode.
๐ Level 8: WebSockets โ Everyone Forgets These Exist And That's Why They're Gold
Everyone filters by XHR/Fetch. Real-time apps use WebSockets (ws:// or wss://).
In DevTools โ Network โ Filter by โWSโ
WebSocket APIs often:
- Skip authentication entirely
- Use sequential/guessable IDs
- Leak real-time data (chat messages, trades, internal comms)
โ ๏ธ Why Every Tutorial From 2023 Is Now Wrong โ What Changed
| What Changed | What It Means For You |
|---|---|
| GraphQL introspection now disabled by default | Use Clairvoyance + field suggestions instead |
| Bot protection (Cloudflare, Akamai) fingerprints API clients | Simple curl gets blocked โ need proper headers |
| ~33% of APIs are โshadow APIsโ | Best targets โ they exist but arenโt monitored |
| Certificate pinning is standard on mobile | Need Frida/Objection to bypass |
| AI bot detection is everywhere | Behavioral patterns matter, not just headers |
๐งช The Full Workflow โ Just Copy This Entire Thing And Run It
# 1. Passive URL discovery
echo "target.com" | gau | tee urls.txt
echo "target.com" | waybackurls >> urls.txt
cat urls.txt | grep -E "api|v1|v2|graphql|swagger" | sort -u > api_endpoints.txt
# 2. Find JS files
katana -u "https://target.com" -jc -o katana_out.txt
cat katana_out.txt | grep "\.js$" | sort -u > js_files.txt
# 3. Check for source maps
cat js_files.txt | while read url; do curl -s "$url.map" | head -c 100; done
# 4. Test GraphQL introspection
curl -X POST "https://target.com/graphql" \
-H "Content-Type: application/json" \
-d '{"query":"{__schema{queryType{fields{name}}}}"}'
# 5. Hunt for Swagger files
ffuf -w /path/to/swagger-wordlist.txt -u "https://target.com/FUZZ" -mc 200
๐ The Only Resources You Actually Need (Bookmark These)
- Reversing Unofficial APIs โ The methodology bible
- Clairvoyance โ GraphQL schema reconstruction
- gau โ Historical URL discovery
- Katana โ Modern web crawler with JS parsing
- Frida Scripts โ Mobile cert pinning bypass
Normal people see the website.
1Hackers see everything the website is hiding. ![]()
!