> For the complete documentation index, see [llms.txt](https://help.aikido.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.aikido.dev/dast-surface-monitoring/api-scanning/graphql-api-scanning.md).

# GraphQL API Scanning

Aikido can scan your GraphQL API endpoints to uncover endpoint vulnerabilities specifically related to GraphQL. One of the methods we use is API fuzzing, which essentially includes spamming dangerous payloads to each field in your API.

> NEVER do this setup on a production environment, but always on staging to avoid potential downtime or interference.

### Main Use Cases <a href="#main-use-cases" id="main-use-cases"></a>

You can see all checks in the [Aikido app here](https://app.aikido.dev/domains/checks?scanner=graphql).

### Setting up GraphQL API Scanning <a href="#setting-up-graphql-api-scanning" id="setting-up-graphql-api-scanning"></a>

**Step 1:** Click **Add Domain** in the [Domain Overview ](https://app.aikido.dev/domains)and select **GraphQL** scanning

![Application type selection screen for security testing of web and API applications.](/files/NqBcf5D3VefbQR52LUvX)

**Step 2.** Enter the domain name of your **staging environment**. Ensure this is the base URL for your GraphQL APIs (e.g., `https://example.io/graphql`)

![Input field for entering a GraphQL endpoint domain name.](/files/PSrMYLOjbVgn3AhRF8PC)

**Step 3:** Click save, Aikido will now scan your GraphQL API.

**Step 4. Authorization:** Note that you can also add authorization information if this is required to talk to your API. You can do this by clicking the triple dots action menu on the domain, and then '**Authenticate Domain**'

![Domain action menu offering scan, configuration, authentication, and delete options.](/files/XiuAcAZyfj2e26ExXyTJ)

This will trigger the modal where you can fill in the authentication details. For the full list of supported authentication methods, see [Authenticated API Scanning for REST/GraphQL](/dast-surface-monitoring/api-scanning/authenticated-api-scanning-for-rest-graphql.md).

![Domain authentication setup form for enabling form-based login credentials.](/files/WFWDbXkPJAgruB7Qrgdi)

### Identifying Aikido traffic

All requests coming from Aikido REST and GraphQL scans will have:

* the `User-Agent` set to `aikido-scan-agent/1.0`
* the following header `aikido-api-test` set to value `1` in the request
* [will come from the IP's documented here](/dast-surface-monitoring/allowing-ip-addresses-for-dast-surface-monitoring.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.aikido.dev/dast-surface-monitoring/api-scanning/graphql-api-scanning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.