Skip to content
Santiago Gimenez Ocano edited this page Jun 9, 2026 · 2 revisions

Frequently Asked Questions

What types of APIs can Vespasian discover?

Vespasian discovers REST APIs (generating OpenAPI 3.0 specs), GraphQL APIs (generating SDL schemas via introspection or traffic inference), and SOAP/WSDL services (generating WSDL documents). It automatically detects the API type from captured traffic, or you can specify it explicitly with --api-type.

How is Vespasian different from running a web crawler?

Standard web crawlers follow HTML links and index pages. Vespasian intercepts all HTTP traffic from a headless browser, including XHR/fetch API calls, WebSocket upgrades, and dynamically constructed requests that don't appear in HTML. It then classifies those requests by API type and generates structured specifications, not just URL lists.

Does Vespasian find undocumented APIs?

Vespasian discovers any API endpoint that the application calls during the crawl. If the frontend calls /api/internal/debug at runtime, Vespasian will capture and document it, even if it doesn't appear in any published API documentation.

Can I use Vespasian with traffic I've already captured?

Yes. If you've already captured traffic using Burp Suite, browser dev tools (HAR), or mitmproxy, use vespasian import to convert it to the capture format, then vespasian generate to produce specifications. No re-crawling needed.

Does Vespasian handle GraphQL servers that disable introspection?

Yes. Vespasian uses a tiered introspection strategy. If the full introspection query is blocked, it tries progressively simpler queries. If all introspection is disabled, it falls back to inferring the schema from observed queries and mutations in the captured traffic.

Is it safe to run against production?

Vespasian's crawl stage drives a browser and follows links, which is read-only. The probing stage sends OPTIONS requests, fetches ?wsdl documents, and runs GraphQL introspection queries — all read-only operations. However, always coordinate with the target owner and prefer staging environments during security assessments.

What output formats does Vespasian support?

Vespasian outputs OpenAPI 3.0 (YAML/JSON) for REST APIs, GraphQL SDL for GraphQL APIs, and WSDL XML for SOAP services.

Can Vespasian discover APIs in single-page applications?

Yes. By default Vespasian drives a headless Chrome browser (via go-rod) with full JavaScript execution, intercepting all HTTP traffic including XHR/fetch calls and dynamically constructed requests that SPAs make at runtime. A lightweight, dependency-free net/http crawler is also available via --headless=false, but it does not execute JavaScript — use the default headless mode for SPAs.

How does Vespasian handle authentication?

Use the -H flag to inject authentication headers into the headless browser's requests:

vespasian scan https://app.example.com -H "Authorization: Bearer <token>" -o api.yaml

Can I integrate Vespasian with other security tools?

Yes. Vespasian outputs standard specification formats (OpenAPI, GraphQL SDL, WSDL) that can be consumed by other tools. For example, you can pass the output directly to Hadrian for automated authorization testing. The proxy flag (--proxy) also lets you route traffic through Burp Suite during crawling.

See Also

Clone this wiki locally