api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Best use case
api-security-testing is best used when you need a repeatable AI agent workflow instead of a one-off prompt. It is especially useful for teams working in multi. API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Users should expect a more consistent workflow output, faster repeated execution, and less time spent rewriting prompts from scratch.
Practical example
Example input
Use the "api-security-testing" skill to help with this workflow task. Context: API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Example output
A structured workflow result with clearer steps, more consistent formatting, and an output that is easier to reuse in the next run.
When to use this skill
- Use this skill when you want a reusable workflow rather than writing the same prompt again and again.
When not to use this skill
- Do not use this when you only need a one-off answer and do not need a reusable workflow.
- Do not use it if you cannot install or maintain the related files, repository context, or supporting tools.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/api-security-testing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How api-security-testing Compares
| Feature / Agent | api-security-testing | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# API Security Testing Workflow ## Overview Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities. ## When to Use This Workflow Use this workflow when: - Testing REST API security - Assessing GraphQL endpoints - Validating API authentication - Testing API rate limiting - Bug bounty API testing ## Workflow Phases ### Phase 1: API Discovery #### Skills to Invoke - `api-fuzzing-bug-bounty` - API fuzzing - `scanning-tools` - API scanning #### Actions 1. Enumerate endpoints 2. Document API methods 3. Identify parameters 4. Map data flows 5. Review documentation #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to discover API endpoints ``` ### Phase 2: Authentication Testing #### Skills to Invoke - `broken-authentication` - Auth testing - `api-security-best-practices` - API auth #### Actions 1. Test API key validation 2. Test JWT tokens 3. Test OAuth2 flows 4. Test token expiration 5. Test refresh tokens #### Copy-Paste Prompts ``` Use @broken-authentication to test API authentication ``` ### Phase 3: Authorization Testing #### Skills to Invoke - `idor-testing` - IDOR testing #### Actions 1. Test object-level authorization 2. Test function-level authorization 3. Test role-based access 4. Test privilege escalation 5. Test multi-tenant isolation #### Copy-Paste Prompts ``` Use @idor-testing to test API authorization ``` ### Phase 4: Input Validation #### Skills to Invoke - `api-fuzzing-bug-bounty` - API fuzzing - `sql-injection-testing` - Injection testing #### Actions 1. Test parameter validation 2. Test SQL injection 3. Test NoSQL injection 4. Test command injection 5. Test XXE injection #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to fuzz API parameters ``` ### Phase 5: Rate Limiting #### Skills to Invoke - `api-security-best-practices` - Rate limiting #### Actions 1. Test rate limit headers 2. Test brute force protection 3. Test resource exhaustion 4. Test bypass techniques 5. Document limitations #### Copy-Paste Prompts ``` Use @api-security-best-practices to test rate limiting ``` ### Phase 6: GraphQL Testing #### Skills to Invoke - `api-fuzzing-bug-bounty` - GraphQL fuzzing #### Actions 1. Test introspection 2. Test query depth 3. Test query complexity 4. Test batch queries 5. Test field suggestions #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to test GraphQL security ``` ### Phase 7: Error Handling #### Skills to Invoke - `api-security-best-practices` - Error handling #### Actions 1. Test error messages 2. Check information disclosure 3. Test stack traces 4. Verify logging 5. Document findings #### Copy-Paste Prompts ``` Use @api-security-best-practices to audit API error handling ``` ## API Security Checklist - [ ] Authentication working - [ ] Authorization enforced - [ ] Input validated - [ ] Rate limiting active - [ ] Errors sanitized - [ ] Logging enabled - [ ] CORS configured - [ ] HTTPS enforced ## Quality Gates - [ ] All endpoints tested - [ ] Vulnerabilities documented - [ ] Remediation provided - [ ] Report generated ## Related Workflow Bundles - `security-audit` - Security auditing - `web-security-testing` - Web security - `api-development` - API development
Related Skills
testing-strategies
Design comprehensive testing strategies for software quality assurance. Use when planning test coverage, implementing test pyramids, or setting up testing infrastructure. Handles unit testing, integration testing, E2E testing, TDD, and testing best practices.
security-best-practices
Implement security best practices for web applications and infrastructure. Use when securing APIs, preventing common vulnerabilities, or implementing security policies. Handles HTTPS, CORS, XSS, SQL Injection, CSRF, rate limiting, and OWASP Top 10.
backend-testing
Write comprehensive backend tests including unit tests, integration tests, and API tests. Use when testing REST APIs, database operations, authentication flows, or business logic. Handles Jest, Pytest, Mocha, testing strategies, mocking, and test coverage.
wordpress-penetration-testing
This skill should be used when the user asks to "pentest WordPress sites", "scan WordPress for vulnerabilities", "enumerate WordPress users, themes, or plugins", "exploit WordPress vulnerabilities", or "use WPScan". It provides comprehensive WordPress security assessment methodologies.
web3-testing
Test smart contracts comprehensively using Hardhat and Foundry with unit tests, integration tests, and mainnet forking. Use when testing Solidity contracts, setting up blockchain test suites, or validating DeFi protocols.
web-security-testing
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
unit-testing-test-generate
Generate comprehensive, maintainable unit tests across languages with strong coverage and edge case focus.
testing-qa
Comprehensive testing and QA workflow covering unit testing, integration testing, E2E testing, browser automation, and quality assurance.
temporal-python-testing
Test Temporal workflows with pytest, time-skipping, and mocking strategies. Covers unit testing, integration testing, replay testing, and local development setup. Use when implementing Temporal workflow tests or debugging test failures.
ssh-penetration-testing
This skill should be used when the user asks to "pentest SSH services", "enumerate SSH configurations", "brute force SSH credentials", "exploit SSH vulnerabilities", "perform SSH tunneling", or "audit SSH security". It provides comprehensive SSH penetration testing methodologies and techniques.
sqlmap-database-pentesting
This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns...
sqlmap-database-penetration-testing
This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns from a vulnerable database," or "perform automated database penetration testing." It provides comprehensive guidance for using SQLMap to detect and exploit SQL injection vulnerabilities.