Setting Up API Discovery

Published April 5, 2023 | Last modified May 28, 2025

Objective

This document provides instructions on configuring API Discovery on the F5® Distributed Cloud Services platform. This core capability is essential for dynamically identifying and monitoring your application's API endpoints.

This guide is specific to the API Discovery feature. For instructions about API Protection configuration, see Setting Up API Protection.

Prerequisites

Set Up API Discovery

Step 1: Find your HTTP Load Balancer.
  • Log into Console.
Figure: Console Homepage

Figure: Console Homepage

  • Click Web App & API Protection.

  • Select your namespace.

Figure: Select Namespace

Figure: Select Namespace

  • Click Manage > Load Balancers > HTTP Load Balancers and locate your HTTP load balancer in the list.
Figure: Load Balancers

Figure: Load Balancers

Step 2: Enable API Discovery.
Figure: Manage Load Balancer Configuration

Figure: Manage Load Balancer Configuration

  • For the target load balancer, click ... > Manage Configuration in the Action column.

  • Click Edit Configuration in the top-right section of the page.

  • Scroll down to the API Protection section.

  • Select Enable from the API Discovery drop-down menu. This will also expose the API discovery settings.

Figure: Enable API Discovery

Figure: Enable API Discovery

  • Select your desired option from the Learn From Traffic With Direct Response drop-down menu. By default, API Discovery learns only from traffic with 2xx (successful) responses. You can choose to select Enable Learning From Redirect Traffic to also learn from traffic with 3xx (redirect) responses.

  • Use the Purge Duration for Inactive Discovered APIs field to specify how often to delete inactive discovered APIs. The purging occurs after the number of days you specify expires.

  • Scroll to the bottom of the page and click Save and Exit.

Step 3: Add Code Scanning API Discovery.
Figure: Add Code Base Integration

Figure: Add Code Base Integration

  • Navigate to Manage > API Management > Code Base Integration.

  • Click Add Code Base Integration.

Figure: Add Code Base Integration Form

Figure: Add Code Base Integration Form

  • Enter a name for this integration and optionally enter labels and a description.

  • Select the code base you want to integrate (GitHub, GitLab, azure, and so on) from the Code Base drop-down menu.

  • Based on your selected code base, you will need to add the required integration information (in other words, API key/username with password) to the Console. You can obtain integration information for your codebase as described in one of the options shown below.

Azure Repository Integration

In Azure DevOps:

  • Create a personal access token in Azure DevOps (under User Settings > Personal Access tokens).

  • Click New Token.

  • Set a label F5 integration.

  • Scopes: Ensure Custom defined is selected and select the following options:

    • Code: Read

    • User Profile: Read

  • Click Create. Then, copy your newly-created personal access token into the paste buffer.

Bitbucket Cloud/Server Integration

In Bitbucket:

  • Create an app password in Bitbucket.

  • Set a label F5 integration.

  • Select the following permissions:

    • Code: Read
    • Workspace: Read
    • Project: Read
    • Repositories: Read
    • Pull Requests: Read
    • Webhooks: Read

  • Click Create. Then copy your newly created app password into the paste buffer.

In Distributed Cloud Console, perform one of the following:

  • Bitbucket Cloud Integration: Enter your Bitbucket username into the Bitbucket Username field.

  • Bitbucket Server Integration: Fill in the Bitbucket Server URL and BitBucket Server Username fields.

GitHub or GitHub Enterprise Integration

In GitHub:

  • Generate a new token (classic or fine-grained) in GitHub (Settings > Developer Settings > Personal Access tokens).

  • Set a note F5 integration.

  • Set an expiration date.

  • Configure the scopes as follows:

    • Classic token

      • Read_api
      • User > read:user
      • User > user:email

    • Fine-grained

      • Repository permission > Contents:read-only
      • Repository permissions > Metadata:read-only

  • Click Generate Token. Then, copy your newly-created token into the paste buffer.

In Distributed Cloud Console, perform one of the following:

  • GitHub Integration: Enter your GitHub username into the GitHub Username field.

  • GitHub Enterprise Integration: Fill in the GitHub Hostname and GitHub Username fields.

GitLab Cloud or GitLab Enterprise Integration

In GitLab:

  • Create an access token (under Preferences > Access Tokens).

  • Set a label F5 integration.

  • Set expiration date.

  • Configure the scope as follows:

    • Read_api
    • Read_repository
    • Read_user

Click Create Personal access token. Then, copy your newly-created token into the paste buffer.

In Distributed Cloud Console, if you selected GitLab Enterprise Integration, enter your GitLab URL in the GitLab URL field.

In Distributed Cloud Console:

  • Click Configure to bring up the Secret Type form. You can either Blindfold your token/password or you can store it in the clear.

  • Paste your token/password into either the Secret to Blindfold or Secret field.

  • Click Apply to save your token.

  • Click Save and Exit.

  • Go back to your load balancer (from Step 1) and scroll down to the API Protection section.

Figure: Enable API Discovery

Figure: Enable API Discovery

  • Make sure API discovery is enabled and click Configure under API Repositories. This will bring up an empty list of code base integrations. Click Add Item to start the list.

  • Select the code base you created above.

  • Select the API repositories you wish to include from the code base.

Figure: Select Code Base

Figure: Select Code Base

  • Scroll to the bottom and click Save and Exit.

  • You can now see in the API inventory the source of detection of API endpoints. Note that it can take up to two hours for the discovery process to run and show results.

Figure: Monitor API Endpoints

Figure: Monitor API Endpoints

Step 4: Set Up API Crawling.
  • Click Manage > Load Balancers > HTTP Load Balancers and locate your HTTP load balancer in the list.
Figure: Load Balancers

Figure: Load Balancers

Figure: Manage Load Balancer Configuration

Figure: Manage Load Balancer Configuration

  • For the target load balancer, click ... > Manage Configuration in the Action column.

  • Click Edit Configuration in the top-right section of the page.

  • Scroll down to the API Protection section.

  • Select Enable from the API Crawling drop-down menu (API Discovery must be enabled to see the API Crawling drop-down menu). This will also expose the Domains to Crawl list.

Figure: Enable API Discovery

Figure: Enable API Discovery

  • For each domain you want to crawl,

    • Click Add Item in the Domains to Crawl list.
    • Enter the domain you want to crawl. Optionally, you can click in the Domain field and then click See Suggestions.
    • Enter the username in the User field.
    • To enter the password, click Configure to bring up the Secret Type form. You can either Blindfold your token/password or you can store it in the clear.
      • Paste your token/password into either the Secret to Blindfold or Secret field.
      • Click Apply to save your secret (password).
    • Click Apply to save your domain to the Domains to Crawl list.

  • Scroll to the bottom of the page and click Save and Exit.

  • Scanning will begin shortly. You will soon (up to 4 hours) start seeing results in your API Endpoints page for this load balancer under the Discovery Source column.

Figure: Monitor API Endpoint Sources

Figure: Monitor API Endpoint Sources

Discovery Service Reference Information

Code Discovery

  • Supported languages and frameworks:
LanguageFrameworks
JavaEE, Spring
.NetVersions 7.0, 6.0, 5.0, 3.1
PythonFlask, Django (function-based views)
JavaScriptExpress, Hapi
GoGin
  • Compatible SCM platforms:
    • Azure Repositories
    • Bitbucket (Cloud and Server)
    • GitHub (Standard and Enterprise)
    • GitLab (Standard and Enterprise)

Important: The repository scans operate at the organization level, not from the user level.

API Crawling Key Information

  • No multi-factor authentication (MFA) support.

  • Credentials are mandatory.

  • API Crawling is performed on the application client-side (not the server-side).

Troubleshooting Information

  • Scan time expectations:
Discovery MethodExpected Time
API CrawlingUp to 4 hours
New repositoriesOnce daily
Existing repositoriesOnce Daily
Token validityEvery 5 minutes

Common Issues

No Results After Expected Time
  1. Check credentials:
  • Correct username and password
  • No MFA requirements
  • Not expired
  • Proper permissions
  1. For API Crawling:
  • Using root domain
  • Website accessible via the browser
  • No geo-restrictions
  • No WAF or bot protections blocking

If the troubleshooting information above do not resolve the issue, open a support ticket for further assistance.

On this page: