Hi Apigee community,
We’re excited to announce some updates to our API discovery feature in Advanced API Security (our API security solution that is natively integrated with Apigee X / hybrid). These updates should help you increase the number of secure, governed APIs that you can make available for reuse by developers and AI agents, and reduce or eliminate the existence of “shadow” APIs across your organization.
Read on for more details!
What is API discovery?
API discovery is a feature of Apigee Advanced API Security that helps you discover undocumented and unmanaged APIs (also known as “shadow” APIs). These APIs can pose serious security threats, because they might be outdated or misconfigured, posing an opportunity for bad actors to exploit them as a pathway into your network.
As teams begin experimenting with AI and deploying new AI and agentic experiences, API sprawl will become more of a concern. Our API discovery feature is designed to help you automatically detect newly deployed APIs that aren’t yet documented, so you can bring those APIs under management and make them available to developers and agents in a secure and governable way.
What new capabilities are we launching for API discovery?
-
Google Cloud-wide scope: Prior to this launch, API discovery was only supported for Google Cloud projects where Apigee was provisioned. This support was limited; we’d always intended to make it broader, and now we have. With this launch, you can now discover new and undocumented “shadow” APIs in any Google Cloud project.
-
Automated, agentless discovery: Because Apigee is part of Google Cloud, we can natively observe traffic on the L7 Application Load Balancers that are receiving the requests to your backend services, without requiring you to deploy an agent or prober. Instead, we use Apigee’s Extension Processor to observe and log API activity on Google Cloud Application load balancers.
-
Integration with Apigee API hub: To understand whether an observed API hostname or operation is truly an unknown “shadow” API, Apigee compares that data with cataloged API metadata in Apigee API hub. When there’s a match, you’ll see a link to the API listing in Apigee API hub. When there’s not, you’ll see a notation that it’s “unknown.” This provides signal for you to take action—for example, to document that API and add it to Apigee API hub.
API platform teams can now get a centralized view of API observations across Google Cloud projects, and automatic comparison to cataloged APIs in Apigee API hub to identify unknown, “shadow” APIs
Getting started
Ready to start testing out this capability? Check out our documentation here and talk to your account team about enabling API discovery on additional Google Cloud projects. Remember that you’ll need to already have a subscription license for Advanced API Security for your Apigee organization to access this feature.
What’s next for API discovery
This launch is just the start, and we plan to keep making improvements here. As a next step, our goal is to provide an automated way to generate agent-friendly specifications for newly discovered APIs, and add them to Apigee API hub so that they can be used as new agentic tools.
We know you might be asking: “This is all great, but I have thousands more APIs on Microsoft Azure / AWS / on-premises. Can you help me discover APIs in those environments?” The answer is: Not yet—but it’s coming. Stay tuned for more details on how we’ll be supporting API discovery in other clouds and environments.
If you’ve tried this out, please reach out and let us know what you think! We’d love to hear your feedback.
Tailor your solution with help from a Google Cloud Sales Specialist 