search
Ctrlk
Book a demo

DAST

API
Description

POST /api/fetchAllDastScans

Retrieve all DAST scan/crawl runs in active or completed states (RUNNING, COMPLETED, STOP_REQUESTED, STOPPED).

POST /api/fetchDastScan

Retrieve all URLs discovered by the crawler for a specific DAST crawl run.

POST /api/fetchAvailableDastModules

Retrieve available external DAST modules that have sent a heartbeat within the last 5 minutes.

POST /api/initiateCrawler

Start a DAST crawler targeting the specified host with configured authentication, URL patterns, and crawl options.

POST /api/uploadCrawlerData

Push raw crawler traffic data for a collection to the ingestion pipeline (Kafka) for async processing.

POST /api/updateCrawlerStatus

Update the status of an existing crawl run (RUNNING, COMPLETED, FAILED, or STOPPED).

POST /api/stopCrawler

Send a stop request to the internal DAST crawler service and mark the crawl run as STOP_REQUESTED.

POST /api/saveCrawlerUrl

Record a URL discovered during a crawl, along with provenance information and whether it was within scope.

hashtag
List all DAST scan runs

post

Returns all CrawlerRun documents that are in RUNNING, COMPLETED, STOP_REQUESTED, or STOPPED state, plus legacy records that have no status field. PENDING and FAILED runs are excluded.

Source: DastAction.fetchAllDastScans()

Body
objectOptional
Responses
chevron-right
200

List of crawler run documents.

application/json
crawlerRunsCrawlerRun[]Optional

All matching CrawlerRun documents.

Example: [{"crawlId":"550e8400-e29b-41d4-a716-446655440000","hostname":"https://app.example.com","startedBy":"[email protected]","startTimestamp":1745280000,"endTimestamp":1745283600,"status":"COMPLETED","moduleName":"Internal DAST (Akto)","collectionId":1234567890,"crawlingTime":3600,"runTestAfterCrawling":true}]
actionErrorsstring[]Optional
post
/api/fetchAllDastScans
200

List of crawler run documents.

hashtag
Fetch URLs discovered in a DAST scan

post

Returns all CrawlerUrl documents recorded by the crawler for the specified crawlId, representing every URL that was discovered (both in-scope and out-of-scope).

Source: DastAction.fetchDastScan()

Body
crawlIdstringRequired

UUID of the crawl run whose discovered URLs to retrieve.

Example: 550e8400-e29b-41d4-a716-446655440000
Responses
chevron-right
200

List of discovered crawler URL documents.

application/json
crawlerUrlsCrawlerUrl[]Optional

All CrawlerUrl documents for the given crawl.

Example: [{"url":"https://app.example.com/api/products","crawlId":"550e8400-e29b-41d4-a716-446655440000","accepted":true,"timestamp":1745280120,"sourceUrl":"https://app.example.com/shop","sourceXpath":"//a[@id='products-link']","buttonText":"View Products"}]
actionErrorsstring[]Optional
post
/api/fetchDastScan

hashtag
List active DAST modules

post

Returns all external DAST modules that have sent a heartbeat within the last 5 minutes. An empty availableModules list means only the built-in internal Akto DAST crawler is available and selectedModuleName should be left null when calling initiateCrawler.

Source: AktoJaxAction.fetchAvailableDastModules()

Body
objectOptional
Responses
chevron-right
200

Available DAST modules returned.

application/json
actionErrorsstring[]Optional
post
/api/fetchAvailableDastModules
200

Available DAST modules returned.

hashtag
Start a DAST crawler run

post

Creates or reuses an API collection named after the target hostname (tagging it DAST), then starts a crawl run. Supports multiple authentication strategies: username/password form auth, API key, and test role-based token extraction (via recorded login flow or login step builder). Custom HTTP headers, URL template patterns for path normalisation, and seed application pages are all supported.

If selectedModuleName is set, the named DAST module must have sent a heartbeat within the last 5 minutes; otherwise the request returns an error. If null, falls back to the internal Akto DAST crawler service.

crawlingTime must be between 600 (10 minutes) and 345600 (4 days) seconds.

Source: AktoJaxAction.initiateCrawler()

Body
hostnamestringRequired

Full URL of the target application (e.g. https://app.example.com). The hostname is used as the collection name unless collectionName is provided.

Example: https://app.example.com
crawlingTimeintegerRequired

Maximum crawl duration in seconds. Must be between 600 (10 min) and 345600 (4 days).

Example: 3600
outscopeUrlsstringOptional

Comma-separated URL paths to exclude from the crawl.

Example: /logout,/static
testRoleHexIdstringOptional

Optional ObjectId hex of the test role to use for cookie/token extraction. Used when neither username/password nor API key is provided.

Example: 60a7b2c3d4e5f6a7b8c9d0e1
usernamestringOptional

Optional username for basic/form authentication.

Example: crawl_user
passwordstringOptional

Optional password for basic/form authentication.

Example: [REDACTED_PASSWORD]
apiKeystringOptional

Optional API key to pass to the crawler service.

Example: [REDACTED_API_KEY]
dashboardUrlstringOptional

Optional Akto dashboard URL to pass to the internal crawler service.

Example: https://app.akto.io
runTestAfterCrawlingbooleanOptional

If true, automatically triggers security tests on all discovered endpoints after the crawl completes.

Default: falseExample: true
selectedMiniTestingServicestringOptional

Name of the mini testing service to use for post-crawl tests. Only relevant when runTestAfterCrawling is true.

selectedModuleNamestringOptional

Name of the external DAST module to use. The module must have sent a heartbeat within the last 5 minutes. Falls back to the internal Akto DAST service when null.

collectionNamestringOptional

Custom collection name. Defaults to the extracted hostname when not provided.

Example: My App DAST
urlTemplatePatternsstringOptional

Comma-separated URL template patterns used to normalise path parameters (e.g. /users/{id},/orders/{orderId}).

Example: /users/{id},/orders/{orderId}
applicationPagesstringOptional

Comma-separated seed pages from which the crawl starts.

Example: /dashboard,/profile,/checkout
Responses
chevron-right
200

Crawler initiated. A CrawlerRun document is created in MongoDB.

No content
post
/api/initiateCrawler
No content

hashtag
Upload crawler-captured traffic

post

Pushes raw crawler traffic data (in Akto HTTP sample format) for the given collection to Kafka (topic akto.api.logs) for async ingestion.

Source: AktoJaxAction.uploadCrawlerData()

Body
apiCollectionIdstringRequired

Numeric ID of the target API collection, passed as a string.

Example: 1234567890
crawlerDatastringRequired

Akto HTTP sample message JSON captured by the crawler.

Example: {"method":"GET","path":"/api/users","requestHeaders":{"Host":"api.example.com"},"responseCode":200,"responseBody":"{\"users\":[]}"}
Responses
chevron-right
200

Data queued for ingestion.

No content
post
/api/uploadCrawlerData
No content

hashtag
Update crawl run status

post

Updates the status of an existing crawl run identified by crawlId. Depending on the new status:

  • RUNNING — sets startTimestamp to now

  • COMPLETED — sets endTimestamp to now and optionally triggers post-crawl security tests if runTestAfterCrawling was set when the crawl was initiated

  • FAILED — sets endTimestamp to now and stores the errorMessage

  • STOPPED — sets endTimestamp to now

Source: AktoJaxAction.updateCrawlerStatus()

Body
crawlIdstringRequired

UUID of the crawl run to update.

Example: 550e8400-e29b-41d4-a716-446655440000
statusstring · enumRequired

New status to set on the crawl run.

Example: COMPLETEDPossible values:
errorMessagestringOptional

Error details. Only stored when status is FAILED.

Responses
chevron-right
200

Status updated successfully.

No content
post
/api/updateCrawlerStatus
200

Status updated successfully.

No content

hashtag
Stop a running crawl

post

Sends a stop request to the internal AKTOJAX crawler service and sets the crawl run's status to STOP_REQUESTED. The crawler service acknowledges the stop and will complete its current work before shutting down.

Source: AktoJaxAction.stopCrawler()

Body
crawlIdstringRequired

UUID of the crawl run to stop.

Example: 550e8400-e29b-41d4-a716-446655440000
Responses
chevron-right
200

Stop request sent and crawl status set to STOP_REQUESTED.

No content
post
/api/stopCrawler
No content

hashtag
Record a URL discovered by the crawler

post

Stores a single URL that was discovered during a crawl, along with provenance information (the source page, the XPath of the triggering element, and the button text) and whether it was accepted (within the crawl scope).

Source: AktoJaxAction.saveCrawlerUrl()

Body
urlstringRequired

The discovered URL.

Example: https://app.example.com/api/products
crawlIdstringRequired

UUID of the crawl run that discovered this URL.

Example: 550e8400-e29b-41d4-a716-446655440000
acceptedbooleanOptional

Whether this URL was within the crawl scope.

Example: true
timestampintegerOptional

Unix epoch when the URL was discovered.

Example: 1745280000
sourceUrlstringOptional

Page URL on which the link to this URL was found.

Example: https://app.example.com/shop
sourceXpathstringOptional

XPath of the element that triggered navigation to this URL.

Example: //a[@id='products-link']
buttonTextstringOptional

Text content of the element that linked to this URL.

Example: View Products
Responses
chevron-right
200

URL saved successfully.

No content
post
/api/saveCrawlerUrl
No content
PreviousModify DataNextCode Analysis

Last updated