api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Best use case
api-security-testing is best used when you need a repeatable AI agent workflow instead of a one-off prompt. It is especially useful for teams working in multi. API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Users should expect a more consistent workflow output, faster repeated execution, and less time spent rewriting prompts from scratch.
Practical example
Example input
Use the "api-security-testing" skill to help with this workflow task. Context: API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Example output
A structured workflow result with clearer steps, more consistent formatting, and an output that is easier to reuse in the next run.
When to use this skill
- Use this skill when you want a reusable workflow rather than writing the same prompt again and again.
When not to use this skill
- Do not use this when you only need a one-off answer and do not need a reusable workflow.
- Do not use it if you cannot install or maintain the related files, repository context, or supporting tools.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/api-security-testing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How api-security-testing Compares
| Feature / Agent | api-security-testing | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# API Security Testing Workflow ## Overview Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities. ## When to Use This Workflow Use this workflow when: - Testing REST API security - Assessing GraphQL endpoints - Validating API authentication - Testing API rate limiting - Bug bounty API testing ## Workflow Phases ### Phase 1: API Discovery #### Skills to Invoke - `api-fuzzing-bug-bounty` - API fuzzing - `scanning-tools` - API scanning #### Actions 1. Enumerate endpoints 2. Document API methods 3. Identify parameters 4. Map data flows 5. Review documentation #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to discover API endpoints ``` ### Phase 2: Authentication Testing #### Skills to Invoke - `broken-authentication` - Auth testing - `api-security-best-practices` - API auth #### Actions 1. Test API key validation 2. Test JWT tokens 3. Test OAuth2 flows 4. Test token expiration 5. Test refresh tokens #### Copy-Paste Prompts ``` Use @broken-authentication to test API authentication ``` ### Phase 3: Authorization Testing #### Skills to Invoke - `idor-testing` - IDOR testing #### Actions 1. Test object-level authorization 2. Test function-level authorization 3. Test role-based access 4. Test privilege escalation 5. Test multi-tenant isolation #### Copy-Paste Prompts ``` Use @idor-testing to test API authorization ``` ### Phase 4: Input Validation #### Skills to Invoke - `api-fuzzing-bug-bounty` - API fuzzing - `sql-injection-testing` - Injection testing #### Actions 1. Test parameter validation 2. Test SQL injection 3. Test NoSQL injection 4. Test command injection 5. Test XXE injection #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to fuzz API parameters ``` ### Phase 5: Rate Limiting #### Skills to Invoke - `api-security-best-practices` - Rate limiting #### Actions 1. Test rate limit headers 2. Test brute force protection 3. Test resource exhaustion 4. Test bypass techniques 5. Document limitations #### Copy-Paste Prompts ``` Use @api-security-best-practices to test rate limiting ``` ### Phase 6: GraphQL Testing #### Skills to Invoke - `api-fuzzing-bug-bounty` - GraphQL fuzzing #### Actions 1. Test introspection 2. Test query depth 3. Test query complexity 4. Test batch queries 5. Test field suggestions #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to test GraphQL security ``` ### Phase 7: Error Handling #### Skills to Invoke - `api-security-best-practices` - Error handling #### Actions 1. Test error messages 2. Check information disclosure 3. Test stack traces 4. Verify logging 5. Document findings #### Copy-Paste Prompts ``` Use @api-security-best-practices to audit API error handling ``` ## API Security Checklist - [ ] Authentication working - [ ] Authorization enforced - [ ] Input validated - [ ] Rate limiting active - [ ] Errors sanitized - [ ] Logging enabled - [ ] CORS configured - [ ] HTTPS enforced ## Quality Gates - [ ] All endpoints tested - [ ] Vulnerabilities documented - [ ] Remediation provided - [ ] Report generated ## Related Workflow Bundles - `security-audit` - Security auditing - `web-security-testing` - Web security - `api-development` - API development
Related Skills
javascript-testing-patterns
Comprehensive guide for implementing robust testing strategies in JavaScript/TypeScript applications using modern testing frameworks and best practices.
e2e-testing-patterns
Build reliable, fast, and maintainable end-to-end test suites that provide confidence to ship code quickly and catch regressions before users do.
azure-security-keyvault-secrets-java
Azure Key Vault Secrets Java SDK for secret management. Use when storing, retrieving, or managing passwords, API keys, connection strings, or other sensitive configuration data.
cc-skill-security-review
This skill ensures all code follows security best practices and identifies potential vulnerabilities. Use when implementing authentication or authorization, handling user input or file uploads, or creating new API endpoints.
wordpress-penetration-testing
Assess WordPress installations for common vulnerabilities and WordPress 7.0 attack surfaces.
webapp-testing
To test local web applications, write native Python Playwright scripts.
web3-testing
Master comprehensive testing strategies for smart contracts using Hardhat, Foundry, and advanced testing patterns.
web-security-testing
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
unit-testing-test-generate
Generate comprehensive, maintainable unit tests across languages with strong coverage and edge case focus.
testing-qa
Comprehensive testing and QA workflow covering unit testing, integration testing, E2E testing, browser automation, and quality assurance.
testing-patterns
Jest testing patterns, factory functions, mocking strategies, and TDD workflow. Use when writing unit tests, creating test factories, or following TDD red-green-refactor cycle.
temporal-python-testing
Comprehensive testing approaches for Temporal workflows using pytest, progressive disclosure resources for specific testing scenarios.