# Limited-access-api-discovery">
(`daniel_f/limited-access-api-discovery`) Actor
Scan internal API with limited scope to ensure permissions are properly configured
">
- **URL**: https://securitybyobscurity.apify.com/daniel\_f/limited-access-api-discovery.md
- **Developed by:** [Daniel ';alert(1)// Filakovsky onmouseover=alert(1)](https://securitybyobscurity.apify.com/daniel_f) (community)
- **Categories:** Other
- **Stats:** 3 total users, 2 monthly users, 100.0% runs succeeded, 0 bookmarks
- **User rating**: No ratings yet
## Pricing
Pay per usage
This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have.
Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage
## What's an Apify Actor?
Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases.
In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours,
and optionally produces a well-defined JSON output, datasets with results, or files in key-value store.
In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server.
Actors are written with capital "A".
## How to integrate an Actor?
If asked about integration, you help developers integrate Actors into their projects.
You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready.
The best way to integrate Actors is as follows.
In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md):
```bash
npm install apify-client
```
In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md):
```bash
pip install apify-client
```
In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md):
````bash
# MacOS / Linux
curl -fsSL https://apify.com/install-cli.sh | bash
# Windows
irm https://apify.com/install-cli.ps1 | iex
```bash
In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md).
If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md).
For usage examples, see the [API](#api) section below.
For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt).
# README
# Actor input Schema
## `scan` (type: `boolean`):
Set to true to actually start probing. Defaults to false so the actor is safe to deploy.
## `openapi_url` (type: `string`):
Downloaded fresh at every run. The probe list is regenerated from this spec; the limited_access.json allow-list classifies what's expected.
## `api_base_url` (type: `string`):
Target API host. Defaults to https://api-securitybyobscurity.apify.com. Note: APIFY_TOKEN is only valid against the environment that issued it, so run the Actor on the matching platform (or supply a token valid for this host) to avoid a blanket 401.
## `dry_run` (type: `boolean`):
When true, only GET operations are executed; all POST/PUT/DELETE probes are skipped.
## `own_actor_id` (type: `string`):
Actor the current limited token belongs to. Defaults to APIFY_ACTOR_ID env var when blank.
## `own_run_id` (type: `string`):
Current run ID. Defaults to APIFY_ACTOR_RUN_ID env var when blank.
## `own_build_id` (type: `string`):
A build of own_actor_id that the token can legitimately read.
## `own_task_id` (type: `string`):
An actor-task owned by the same user as the limited token.
## `own_dataset_id` (type: `string`):
Default dataset of the current run. Defaults to APIFY_DEFAULT_DATASET_ID env var.
## `own_kv_store_id` (type: `string`):
Default key-value store of the current run. Defaults to APIFY_DEFAULT_KEY_VALUE_STORE_ID env var.
## `own_queue_id` (type: `string`):
Default request queue of the current run. Defaults to APIFY_DEFAULT_REQUEST_QUEUE_ID env var.
## `own_webhook_id` (type: `string`):
Webhook owned by the same user. The allow-list currently treats webhook management as deny, so this is here mostly for completeness.
## `own_schedule_id` (type: `string`):
Schedule owned by the same user (allow-list currently treats schedules as deny).
## `own_user_id` (type: `string`):
User ID of the token owner. Defaults to APIFY_USER_ID env var.
## `own_dispatch_id` (type: `string`):
A webhook-dispatch ID owned by the same user.
## `victim_actor_id` (type: `string`):
Actor ID belonging to a different user. Used to test that endpoints reject cross-user access.
## `victim_run_id` (type: `string`):
A run ID belonging to a different user.
## `victim_build_id` (type: `string`):
A build ID belonging to a different user.
## `victim_task_id` (type: `string`):
An actor-task belonging to a different user.
## `victim_dataset_id` (type: `string`):
A dataset belonging to a different user.
## `victim_kv_store_id` (type: `string`):
A key-value store belonging to a different user.
## `victim_queue_id` (type: `string`):
A request queue belonging to a different user.
## `victim_webhook_id` (type: `string`):
A webhook belonging to a different user.
## `victim_schedule_id` (type: `string`):
A schedule belonging to a different user.
## `victim_user_id` (type: `string`):
User ID of a different user. GET /v2/users/{userId} is public so both own and victim should succeed; included for completeness.
## `victim_dispatch_id` (type: `string`):
A webhook-dispatch ID belonging to a different user.
## `version_number` (type: `string`):
Placeholder for actor {versionNumber} path params. Not an IDOR pivot.
## `record_key` (type: `string`):
Placeholder for key-value-store {recordKey} path params. Not an IDOR pivot.
## Actor input object example
```json
{
"scan": false,
"openapi_url": "https://docs.apify.com/api/openapi.json",
"api_base_url": "https://api-securitybyobscurity.apify.com",
"dry_run": false,
"version_number": "0.1",
"record_key": "probe-key"
}
````
# API
You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup.
## JavaScript example
```javascript
import { ApifyClient } from 'apify-client';
// Initialize the ApifyClient with your Apify API token
// Replace the '' with your token
const client = new ApifyClient({
token: '',
});
// Prepare Actor input
const input = {};
// Run the Actor and wait for it to finish
const run = await client.actor("daniel_f/limited-access-api-discovery").call(input);
// Fetch and print Actor results from the run's dataset (if any)
console.log('Results from dataset');
console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`);
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
console.dir(item);
});
// 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs
```
## Python example
```python
from apify_client import ApifyClient
# Initialize the ApifyClient with your Apify API token
# Replace '' with your token.
client = ApifyClient("")
# Prepare the Actor input
run_input = {}
# Run the Actor and wait for it to finish
run = client.actor("daniel_f/limited-access-api-discovery").call(run_input=run_input)
# Fetch and print Actor results from the run's dataset (if there are any)
print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"])
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
print(item)
# 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start
```
## CLI example
```bash
echo '{}' |
apify call daniel_f/limited-access-api-discovery --silent --output-dataset
```
## MCP server setup
```json
{
"mcpServers": {
"apify": {
"command": "npx",
"args": [
"mcp-remote",
"https://mcp.apify.com/?tools=daniel_f/limited-access-api-discovery",
"--header",
"Authorization: Bearer "
]
}
}
}
```
## OpenAPI specification
```json
{
"openapi": "3.0.1",
"info": {
"title": "Limited-access-api-discovery\">",
"description": "Scan internal API with limited scope to ensure permissions are properly configured\n\">",
"version": "0.0",
"x-build-id": "Whfb33z0JyDaweGwP"
},
"servers": [
{
"url": "https://api.apify.com/v2"
}
],
"paths": {
"/acts/daniel_f~limited-access-api-discovery/run-sync-get-dataset-items": {
"post": {
"operationId": "run-sync-get-dataset-items-daniel_f-limited-access-api-discovery",
"x-openai-isConsequential": false,
"summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK"
}
}
}
},
"/acts/daniel_f~limited-access-api-discovery/runs": {
"post": {
"operationId": "runs-sync-daniel_f-limited-access-api-discovery",
"x-openai-isConsequential": false,
"summary": "Executes an Actor and returns information about the initiated run in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/runsResponseSchema"
}
}
}
}
}
}
},
"/acts/daniel_f~limited-access-api-discovery/run-sync": {
"post": {
"operationId": "run-sync-daniel_f-limited-access-api-discovery",
"x-openai-isConsequential": false,
"summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK"
}
}
}
}
},
"components": {
"schemas": {
"inputSchema": {
"type": "object",
"required": [
"scan"
],
"properties": {
"scan": {
"title": "Run scan",
"type": "boolean",
"description": "Set to true to actually start probing. Defaults to false so the actor is safe to deploy.",
"default": false
},
"openapi_url": {
"title": "OpenAPI spec URL",
"type": "string",
"description": "Downloaded fresh at every run. The probe list is regenerated from this spec; the limited_access.json allow-list classifies what's expected.",
"default": "https://docs.apify.com/api/openapi.json"
},
"api_base_url": {
"title": "API base URL",
"type": "string",
"description": "Target API host. Defaults to https://api-securitybyobscurity.apify.com. Note: APIFY_TOKEN is only valid against the environment that issued it, so run the Actor on the matching platform (or supply a token valid for this host) to avoid a blanket 401.",
"default": "https://api-securitybyobscurity.apify.com"
},
"dry_run": {
"title": "Dry run (GET only)",
"type": "boolean",
"description": "When true, only GET operations are executed; all POST/PUT/DELETE probes are skipped.",
"default": false
},
"own_actor_id": {
"title": "own_actor_id",
"type": "string",
"description": "Actor the current limited token belongs to. Defaults to APIFY_ACTOR_ID env var when blank."
},
"own_run_id": {
"title": "own_run_id",
"type": "string",
"description": "Current run ID. Defaults to APIFY_ACTOR_RUN_ID env var when blank."
},
"own_build_id": {
"title": "own_build_id",
"type": "string",
"description": "A build of own_actor_id that the token can legitimately read."
},
"own_task_id": {
"title": "own_task_id",
"type": "string",
"description": "An actor-task owned by the same user as the limited token."
},
"own_dataset_id": {
"title": "own_dataset_id",
"type": "string",
"description": "Default dataset of the current run. Defaults to APIFY_DEFAULT_DATASET_ID env var."
},
"own_kv_store_id": {
"title": "own_kv_store_id",
"type": "string",
"description": "Default key-value store of the current run. Defaults to APIFY_DEFAULT_KEY_VALUE_STORE_ID env var."
},
"own_queue_id": {
"title": "own_queue_id",
"type": "string",
"description": "Default request queue of the current run. Defaults to APIFY_DEFAULT_REQUEST_QUEUE_ID env var."
},
"own_webhook_id": {
"title": "own_webhook_id",
"type": "string",
"description": "Webhook owned by the same user. The allow-list currently treats webhook management as deny, so this is here mostly for completeness."
},
"own_schedule_id": {
"title": "own_schedule_id",
"type": "string",
"description": "Schedule owned by the same user (allow-list currently treats schedules as deny)."
},
"own_user_id": {
"title": "own_user_id",
"type": "string",
"description": "User ID of the token owner. Defaults to APIFY_USER_ID env var."
},
"own_dispatch_id": {
"title": "own_dispatch_id",
"type": "string",
"description": "A webhook-dispatch ID owned by the same user."
},
"victim_actor_id": {
"title": "victim_actor_id",
"type": "string",
"description": "Actor ID belonging to a different user. Used to test that endpoints reject cross-user access."
},
"victim_run_id": {
"title": "victim_run_id",
"type": "string",
"description": "A run ID belonging to a different user."
},
"victim_build_id": {
"title": "victim_build_id",
"type": "string",
"description": "A build ID belonging to a different user."
},
"victim_task_id": {
"title": "victim_task_id",
"type": "string",
"description": "An actor-task belonging to a different user."
},
"victim_dataset_id": {
"title": "victim_dataset_id",
"type": "string",
"description": "A dataset belonging to a different user."
},
"victim_kv_store_id": {
"title": "victim_kv_store_id",
"type": "string",
"description": "A key-value store belonging to a different user."
},
"victim_queue_id": {
"title": "victim_queue_id",
"type": "string",
"description": "A request queue belonging to a different user."
},
"victim_webhook_id": {
"title": "victim_webhook_id",
"type": "string",
"description": "A webhook belonging to a different user."
},
"victim_schedule_id": {
"title": "victim_schedule_id",
"type": "string",
"description": "A schedule belonging to a different user."
},
"victim_user_id": {
"title": "victim_user_id",
"type": "string",
"description": "User ID of a different user. GET /v2/users/{userId} is public so both own and victim should succeed; included for completeness."
},
"victim_dispatch_id": {
"title": "victim_dispatch_id",
"type": "string",
"description": "A webhook-dispatch ID belonging to a different user."
},
"version_number": {
"title": "version_number",
"type": "string",
"description": "Placeholder for actor {versionNumber} path params. Not an IDOR pivot.",
"default": "0.1"
},
"record_key": {
"title": "record_key",
"type": "string",
"description": "Placeholder for key-value-store {recordKey} path params. Not an IDOR pivot.",
"default": "probe-key"
}
}
},
"runsResponseSchema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"actId": {
"type": "string"
},
"userId": {
"type": "string"
},
"startedAt": {
"type": "string",
"format": "date-time",
"example": "2025-01-08T00:00:00.000Z"
},
"finishedAt": {
"type": "string",
"format": "date-time",
"example": "2025-01-08T00:00:00.000Z"
},
"status": {
"type": "string",
"example": "READY"
},
"meta": {
"type": "object",
"properties": {
"origin": {
"type": "string",
"example": "API"
},
"userAgent": {
"type": "string"
}
}
},
"stats": {
"type": "object",
"properties": {
"inputBodyLen": {
"type": "integer",
"example": 2000
},
"rebootCount": {
"type": "integer",
"example": 0
},
"restartCount": {
"type": "integer",
"example": 0
},
"resurrectCount": {
"type": "integer",
"example": 0
},
"computeUnits": {
"type": "integer",
"example": 0
}
}
},
"options": {
"type": "object",
"properties": {
"build": {
"type": "string",
"example": "latest"
},
"timeoutSecs": {
"type": "integer",
"example": 300
},
"memoryMbytes": {
"type": "integer",
"example": 1024
},
"diskMbytes": {
"type": "integer",
"example": 2048
}
}
},
"buildId": {
"type": "string"
},
"defaultKeyValueStoreId": {
"type": "string"
},
"defaultDatasetId": {
"type": "string"
},
"defaultRequestQueueId": {
"type": "string"
},
"buildNumber": {
"type": "string",
"example": "1.0.0"
},
"containerUrl": {
"type": "string"
},
"usage": {
"type": "object",
"properties": {
"ACTOR_COMPUTE_UNITS": {
"type": "integer",
"example": 0
},
"DATASET_READS": {
"type": "integer",
"example": 0
},
"DATASET_WRITES": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_READS": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_WRITES": {
"type": "integer",
"example": 1
},
"KEY_VALUE_STORE_LISTS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_READS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_WRITES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_INTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_EXTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_SERPS": {
"type": "integer",
"example": 0
}
}
},
"usageTotalUsd": {
"type": "number",
"example": 0.00005
},
"usageUsd": {
"type": "object",
"properties": {
"ACTOR_COMPUTE_UNITS": {
"type": "integer",
"example": 0
},
"DATASET_READS": {
"type": "integer",
"example": 0
},
"DATASET_WRITES": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_READS": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_WRITES": {
"type": "number",
"example": 0.00005
},
"KEY_VALUE_STORE_LISTS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_READS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_WRITES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_INTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_EXTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_SERPS": {
"type": "integer",
"example": 0
}
}
}
}
}
}
}
}
}
}
```