Akto is an open-source API security testing platform that automatically discovers and inventories API endpoints, then runs security tests for common vulnerabilities including BOLA/IDOR, broken authentication, injection, and business logic flaws. It integrates with LangChain and Portkey for AI-powered API discovery and test generation. Akto fits natively into CI/CD pipelines via GitHub Actions, GitLab CI, and Jenkins, and has an active community with frequent releases.
Installation
Docker Compose (Recommended)
# Clone the repo
git clone https://github.com/akto-api-security/akto
cd akto
# Start Akto with default config
docker compose up -d
# Akto dashboard available at http://localhost:9090
# Default credentials: admin@akto.io / 12345678
Docker (Single Container)
docker run -d \
--name akto \
-p 9090:9090 \
-e AKTO_MONGO_CONN="mongodb://mongo:27017" \
-e AKTO_KAFKA_BROKER_MAL="kafka:29092" \
aktosecurity/akto:latest
Kubernetes (Helm)
helm repo add akto https://charts.akto.io
helm repo update
helm install akto akto/akto \
--namespace akto \
--create-namespace \
--set ingress.host=akto.company.com \
--set persistence.size=20Gi
# Install Akto CLI
npm install -g @akto-api-security/cli
# Or with pip
pip install akto-cli
# Authenticate
akto login \
--url http://localhost:9090 \
--email admin@akto.io \
--password 12345678
Configuration
Initial Setup
# After starting Akto, configure via CLI or dashboard
akto setup \
--organization "Acme Corp" \
--email admin@company.com \
--password "$AKTO_ADMIN_PASSWORD"
# Generate API token for CI/CD use
akto token create \
--name "ci-cd-token" \
--role "api-tester" \
--expires 365d
Traffic Mirroring (Burp Suite)
# Install Akto Burp extension
# Burp Suite → Extender → BApp Store → search "Akto"
# Or download manually:
curl -O https://github.com/akto-api-security/akto/releases/latest/download/akto-burp.jar
# Configure Akto endpoint in Burp extension settings
# Dashboard URL: http://localhost:9090
# API Token: <token from dashboard>
Traffic Mirroring (NGINX)
# Add mirror directive to NGINX config
cat >> /etc/nginx/sites-available/default << 'EOF'
location /api/ {
mirror /akto-mirror;
proxy_pass http://backend;
}
location = /akto-mirror {
internal;
proxy_pass http://akto-listener:8080$request_uri;
}
EOF
nginx -t && nginx -s reload
LangChain / AI-Powered Discovery
# Configure LangChain integration for AI API discovery
akto config set ai.provider langchain
akto config set ai.openai_key "$OPENAI_API_KEY"
# Or use Portkey as a gateway
akto config set ai.provider portkey
akto config set ai.portkey_api_key "$PORTKEY_API_KEY"
akto config set ai.portkey_virtual_key "$PORTKEY_VIRTUAL_KEY"
# Enable AI-powered test generation
akto config set ai.test_generation enabled
Core Commands
| Command | Description |
|---|
akto login --url <url> --email <e> | Authenticate with Akto instance |
akto inventory list | List all discovered API collections |
akto inventory endpoints --collection <name> | List endpoints in a collection |
akto inventory import --file openapi.yaml | Import OpenAPI/Swagger spec |
akto inventory discover --url <target> | Run active API discovery against target |
akto test run --collection <name> | Run all security tests on a collection |
akto test run --collection <name> --category BOLA | Run tests for a specific category |
akto test status --id <test-run-id> | Check status of a test run |
akto test results --id <test-run-id> | Get results of a completed test run |
akto test results --id <id> --severity HIGH | Filter results by severity |
akto report generate --id <test-run-id> | Generate test report |
akto config set <key> <value> | Update a configuration value |
akto token create --name <n> --role <r> | Create an API access token |
akto token list | List existing API tokens |
akto integration add --type github | Add a CI/CD integration |
Advanced Usage
API Discovery Methods
# Passive: mirror traffic from Burp or proxy
akto inventory mirror --source burp --duration 3600
# Active: crawl an API from an OpenAPI spec
akto inventory discover \
--spec openapi.yaml \
--base-url https://api.example.com \
--auth-header "Authorization: Bearer $API_TOKEN"
# AI-powered discovery (requires LangChain config)
akto inventory discover-ai \
--url https://api.example.com \
--describe "E-commerce platform with user, order, and product APIs"
# Import from Postman collection
akto inventory import \
--format postman \
--file Acme-API.postman_collection.json
Security Test Categories
| Category | Description |
|---|
BOLA | Broken Object Level Authorization (IDOR) |
BFLA | Broken Function Level Authorization |
AUTH | Broken authentication and session management |
INJECTION | SQL, NoSQL, command injection |
XSS | Cross-site scripting in API responses |
SSRF | Server-side request forgery |
MASS_ASSIGNMENT | Unprotected parameter binding |
BUSINESS_LOGIC | Business logic abuse and rate limiting |
DATA_EXPOSURE | Sensitive data in responses |
SECURITY_MISCONFIG | Headers, CORS, TLS misconfiguration |
# Run BOLA tests only
akto test run \
--collection "Acme API v2" \
--category BOLA \
--verbose
# Run multiple categories
akto test run \
--collection "Acme API v2" \
--category "BOLA,AUTH,INJECTION"
# Run all tests with custom timeout
akto test run \
--collection "Acme API v2" \
--all \
--timeout 3600
Custom Test Templates
# List available test templates
akto templates list
# Create a custom test from template
cat > tests/custom-bola-test.yaml << 'EOF'
id: CUSTOM-BOLA-001
name: User Profile BOLA via ID Enumeration
category: BOLA
severity: HIGH
description: Attempt to access other users' profiles by modifying the user ID parameter
steps:
- name: baseline
request:
method: GET
path: "/api/v1/users/{userId}/profile"
auth: user_a
- name: exploit
request:
method: GET
path: "/api/v1/users/{other_userId}/profile"
auth: user_a
expect:
status: 403
not_contains: ["email", "phone", "address"]
EOF
# Import and run custom test
akto templates import --file tests/custom-bola-test.yaml
akto test run --collection "Acme API v2" --template CUSTOM-BOLA-001
CI/CD Integration
# GitHub Actions example
cat > .github/workflows/api-security.yml << 'EOF'
name: API Security Tests
on: [pull_request]
jobs:
akto-scan:
runs-on: ubuntu-latest
steps:
- uses: akto-api-security/run-scan@v1
with:
AKTO_DASHBOARD_URL: ${{ secrets.AKTO_URL }}
AKTO_API_KEY: ${{ secrets.AKTO_API_KEY }}
AKTO_TEST_ID: your-test-suite-id
START_TIME_DELAY: 0
SEVERITY: HIGH,CRITICAL
FAIL_ON_FINDING: true
EOF
# Run scan from CLI in CI pipeline
akto test run \
--collection "Acme API v2" \
--all \
--format sarif \
--output akto-results.sarif
# Exit with non-zero if HIGH/CRITICAL findings
akto test check \
--id $TEST_RUN_ID \
--fail-on HIGH,CRITICAL
echo "Security gate exit code: $?"
Common Workflows
Full API Security Assessment
# 1. Import API spec
akto inventory import \
--format openapi \
--file api-spec/openapi-v2.yaml \
--collection "Acme API v2"
# 2. Verify endpoint discovery
akto inventory endpoints --collection "Acme API v2" | wc -l
# 3. Configure authentication
akto auth configure \
--collection "Acme API v2" \
--type bearer \
--token "$TEST_USER_TOKEN"
# 4. Run full security scan
akto test run \
--collection "Acme API v2" \
--all \
--timeout 7200
# 5. Review results
TEST_RUN_ID=$(akto test status --latest --json | jq -r '.id')
akto test results --id $TEST_RUN_ID --severity HIGH,CRITICAL
# 6. Generate report
akto report generate \
--id $TEST_RUN_ID \
--format pdf \
--output api-security-report.pdf
BOLA/IDOR Testing Workflow
# 1. Set up two test user accounts
akto auth add-user \
--name user-a \
--token "$USER_A_TOKEN"
akto auth add-user \
--name user-b \
--token "$USER_B_TOKEN"
# 2. Run BOLA tests with both users
akto test run \
--collection "Acme API v2" \
--category BOLA \
--users "user-a,user-b" \
--verbose
# 3. Check for unauthorized cross-user access
akto test results \
--id $TEST_RUN_ID \
--category BOLA \
--format table
Continuous API Monitoring
# Set up ongoing traffic monitoring
akto monitor start \
--collection "Acme API v2" \
--source nginx-mirror \
--alert-on-new-endpoint \
--alert-email security@company.com
# Run scheduled tests daily
akto schedule create \
--collection "Acme API v2" \
--cron "0 2 * * *" \
--categories "BOLA,AUTH,INJECTION" \
--notify slack \
--slack-webhook $SLACK_WEBHOOK_URL
Tips and Best Practices
- Use traffic mirroring during initial setup to build an accurate API inventory from real usage — OpenAPI specs are often incomplete or outdated
- Configure two test users before running BOLA tests — Akto needs a victim user’s resources and an attacker user’s credentials to validate authorization bypasses
- Add Akto to your CI/CD pipeline with
--fail-on HIGH,CRITICAL to catch broken auth and IDOR regressions before they reach production
- Review new endpoint alerts from
akto monitor promptly — shadow APIs added by developers without security review are a common risk
- Use the AI-powered discovery with LangChain for complex API surfaces where crawling alone misses authenticated or POST-only endpoints
- Export results as SARIF for GitHub Advanced Security integration — findings appear inline on pull request diffs
- Do not run
--all tests in production without traffic rate limiting — some injection and brute-force tests generate many requests
- Write custom YAML templates for business logic tests that automated scanners miss — document them in your repo alongside the API spec
- Check the
DATA_EXPOSURE category on every release — APIs frequently leak PII, tokens, or internal IDs in fields that were not in the original spec
- Rotate the Akto admin password from the default immediately after install and store it in a secrets manager before connecting to any production traffic mirror
