{
"openapi": "3.0.1",
"info": {
"title": "Limited-access-api-discovery\">
",
"description": "Scan internal API with limited scope to ensure permissions are properly configured\n\">",
"version": "0.0",
"x-build-id": "Whfb33z0JyDaweGwP"
},
"servers": [
{
"url": "https://api.apify.com/v2"
}
],
"paths": {
"/acts/daniel_f~limited-access-api-discovery/run-sync-get-dataset-items": {
"post": {
"operationId": "run-sync-get-dataset-items-daniel_f-limited-access-api-discovery",
"x-openai-isConsequential": false,
"summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK"
}
}
}
},
"/acts/daniel_f~limited-access-api-discovery/runs": {
"post": {
"operationId": "runs-sync-daniel_f-limited-access-api-discovery",
"x-openai-isConsequential": false,
"summary": "Executes an Actor and returns information about the initiated run in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/runsResponseSchema"
}
}
}
}
}
}
},
"/acts/daniel_f~limited-access-api-discovery/run-sync": {
"post": {
"operationId": "run-sync-daniel_f-limited-access-api-discovery",
"x-openai-isConsequential": false,
"summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK"
}
}
}
}
},
"components": {
"schemas": {
"inputSchema": {
"type": "object",
"required": [
"scan"
],
"properties": {
"scan": {
"title": "Run scan",
"type": "boolean",
"description": "Set to true to actually start probing. Defaults to false so the actor is safe to deploy.",
"default": false
},
"openapi_url": {
"title": "OpenAPI spec URL",
"type": "string",
"description": "Downloaded fresh at every run. The probe list is regenerated from this spec; the limited_access.json allow-list classifies what's expected.",
"default": "https://docs.apify.com/api/openapi.json"
},
"api_base_url": {
"title": "API base URL",
"type": "string",
"description": "Target API host. Defaults to https://api-securitybyobscurity.apify.com. Note: APIFY_TOKEN is only valid against the environment that issued it, so run the Actor on the matching platform (or supply a token valid for this host) to avoid a blanket 401.",
"default": "https://api-securitybyobscurity.apify.com"
},
"dry_run": {
"title": "Dry run (GET only)",
"type": "boolean",
"description": "When true, only GET operations are executed; all POST/PUT/DELETE probes are skipped.",
"default": false
},
"own_actor_id": {
"title": "own_actor_id",
"type": "string",
"description": "Actor the current limited token belongs to. Defaults to APIFY_ACTOR_ID env var when blank."
},
"own_run_id": {
"title": "own_run_id",
"type": "string",
"description": "Current run ID. Defaults to APIFY_ACTOR_RUN_ID env var when blank."
},
"own_build_id": {
"title": "own_build_id",
"type": "string",
"description": "A build of own_actor_id that the token can legitimately read."
},
"own_task_id": {
"title": "own_task_id",
"type": "string",
"description": "An actor-task owned by the same user as the limited token."
},
"own_dataset_id": {
"title": "own_dataset_id",
"type": "string",
"description": "Default dataset of the current run. Defaults to APIFY_DEFAULT_DATASET_ID env var."
},
"own_kv_store_id": {
"title": "own_kv_store_id",
"type": "string",
"description": "Default key-value store of the current run. Defaults to APIFY_DEFAULT_KEY_VALUE_STORE_ID env var."
},
"own_queue_id": {
"title": "own_queue_id",
"type": "string",
"description": "Default request queue of the current run. Defaults to APIFY_DEFAULT_REQUEST_QUEUE_ID env var."
},
"own_webhook_id": {
"title": "own_webhook_id",
"type": "string",
"description": "Webhook owned by the same user. The allow-list currently treats webhook management as deny, so this is here mostly for completeness."
},
"own_schedule_id": {
"title": "own_schedule_id",
"type": "string",
"description": "Schedule owned by the same user (allow-list currently treats schedules as deny)."
},
"own_user_id": {
"title": "own_user_id",
"type": "string",
"description": "User ID of the token owner. Defaults to APIFY_USER_ID env var."
},
"own_dispatch_id": {
"title": "own_dispatch_id",
"type": "string",
"description": "A webhook-dispatch ID owned by the same user."
},
"victim_actor_id": {
"title": "victim_actor_id",
"type": "string",
"description": "Actor ID belonging to a different user. Used to test that endpoints reject cross-user access."
},
"victim_run_id": {
"title": "victim_run_id",
"type": "string",
"description": "A run ID belonging to a different user."
},
"victim_build_id": {
"title": "victim_build_id",
"type": "string",
"description": "A build ID belonging to a different user."
},
"victim_task_id": {
"title": "victim_task_id",
"type": "string",
"description": "An actor-task belonging to a different user."
},
"victim_dataset_id": {
"title": "victim_dataset_id",
"type": "string",
"description": "A dataset belonging to a different user."
},
"victim_kv_store_id": {
"title": "victim_kv_store_id",
"type": "string",
"description": "A key-value store belonging to a different user."
},
"victim_queue_id": {
"title": "victim_queue_id",
"type": "string",
"description": "A request queue belonging to a different user."
},
"victim_webhook_id": {
"title": "victim_webhook_id",
"type": "string",
"description": "A webhook belonging to a different user."
},
"victim_schedule_id": {
"title": "victim_schedule_id",
"type": "string",
"description": "A schedule belonging to a different user."
},
"victim_user_id": {
"title": "victim_user_id",
"type": "string",
"description": "User ID of a different user. GET /v2/users/{userId} is public so both own and victim should succeed; included for completeness."
},
"victim_dispatch_id": {
"title": "victim_dispatch_id",
"type": "string",
"description": "A webhook-dispatch ID belonging to a different user."
},
"version_number": {
"title": "version_number",
"type": "string",
"description": "Placeholder for actor {versionNumber} path params. Not an IDOR pivot.",
"default": "0.1"
},
"record_key": {
"title": "record_key",
"type": "string",
"description": "Placeholder for key-value-store {recordKey} path params. Not an IDOR pivot.",
"default": "probe-key"
}
}
},
"runsResponseSchema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"actId": {
"type": "string"
},
"userId": {
"type": "string"
},
"startedAt": {
"type": "string",
"format": "date-time",
"example": "2025-01-08T00:00:00.000Z"
},
"finishedAt": {
"type": "string",
"format": "date-time",
"example": "2025-01-08T00:00:00.000Z"
},
"status": {
"type": "string",
"example": "READY"
},
"meta": {
"type": "object",
"properties": {
"origin": {
"type": "string",
"example": "API"
},
"userAgent": {
"type": "string"
}
}
},
"stats": {
"type": "object",
"properties": {
"inputBodyLen": {
"type": "integer",
"example": 2000
},
"rebootCount": {
"type": "integer",
"example": 0
},
"restartCount": {
"type": "integer",
"example": 0
},
"resurrectCount": {
"type": "integer",
"example": 0
},
"computeUnits": {
"type": "integer",
"example": 0
}
}
},
"options": {
"type": "object",
"properties": {
"build": {
"type": "string",
"example": "latest"
},
"timeoutSecs": {
"type": "integer",
"example": 300
},
"memoryMbytes": {
"type": "integer",
"example": 1024
},
"diskMbytes": {
"type": "integer",
"example": 2048
}
}
},
"buildId": {
"type": "string"
},
"defaultKeyValueStoreId": {
"type": "string"
},
"defaultDatasetId": {
"type": "string"
},
"defaultRequestQueueId": {
"type": "string"
},
"buildNumber": {
"type": "string",
"example": "1.0.0"
},
"containerUrl": {
"type": "string"
},
"usage": {
"type": "object",
"properties": {
"ACTOR_COMPUTE_UNITS": {
"type": "integer",
"example": 0
},
"DATASET_READS": {
"type": "integer",
"example": 0
},
"DATASET_WRITES": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_READS": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_WRITES": {
"type": "integer",
"example": 1
},
"KEY_VALUE_STORE_LISTS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_READS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_WRITES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_INTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_EXTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_SERPS": {
"type": "integer",
"example": 0
}
}
},
"usageTotalUsd": {
"type": "number",
"example": 0.00005
},
"usageUsd": {
"type": "object",
"properties": {
"ACTOR_COMPUTE_UNITS": {
"type": "integer",
"example": 0
},
"DATASET_READS": {
"type": "integer",
"example": 0
},
"DATASET_WRITES": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_READS": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_WRITES": {
"type": "number",
"example": 0.00005
},
"KEY_VALUE_STORE_LISTS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_READS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_WRITES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_INTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_EXTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_SERPS": {
"type": "integer",
"example": 0
}
}
}
}
}
}
}
}
}
}