The Testing API allows you to generate security tests for your API endpoints and retrieve global testing environment configurations.
Generate Test for Endpoint Generate a security test for a specific endpoint.
curl 'https://<your-metlo-instance>/api/v1/gen-test-endpoint?endpoint=/api/users&host=api.example.com&method=GET' \ -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Query Parameters The endpoint path to generate tests for (e.g., /api/users/{id})
The hostname where the endpoint is located
HTTP method: GET, POST, PUT, PATCH, DELETE, etc.
Response Whether test generation was successful
Name of the test template used
Version of the test template
Generated test configuration object
Error message if generation failed
{ "success" : true , "templateName" : "authentication_bypass" , "templateVersion" : 1 , "test" : { "id" : "test_550e8400" , "name" : "Authentication Bypass Test" , "endpoint" : "/api/users/{id}" , "method" : "GET" , "requests" : [ { "description" : "Attempt to access without auth header" , "headers" : {}, "expectedStatus" : 401 }, { "description" : "Attempt with invalid auth token" , "headers" : { "Authorization" : "Bearer invalid_token" }, "expectedStatus" : 401 } ] } }
Error Response { "success" : false , "msg" : "Could not find endpoint." }
Generate Tests for Host Generate tests for all endpoints on a specific host.
curl 'https://<your-metlo-instance>/api/v1/gen-test-endpoints?host=api.example.com' \ -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Query Parameters The hostname to generate tests for
Response Returns an array of test configurations for all endpoints on the specified host:
[ { "success" : true , "templateName" : "authentication_bypass" , "templateVersion" : 1 , "endpoint" : "/api/users" , "method" : "GET" , "test" : { /* test config */ } }, { "success" : true , "templateName" : "sql_injection" , "templateVersion" : 1 , "endpoint" : "/api/users/{id}" , "method" : "GET" , "test" : { /* test config */ } }, { "success" : false , "endpoint" : "/api/internal/status" , "method" : "GET" , "msg" : "No suitable test template found" } ]
Get Global Testing Environment Retrieve the global environment variables and configuration for testing.
curl 'https://<your-metlo-instance>/api/v1/testing/global-env' \ -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Response Global environment variables for testing
Returns the global environment configuration, or an empty array if not configured:
{ "baseUrl" : "https://api.example.com" , "authToken" : "{{AUTH_TOKEN}}" , "testUserId" : "test-user-123" , "timeout" : 5000 , "retries" : 3 , "headers" : { "X-API-Version" : "v1" , "User-Agent" : "Metlo-Testing/1.0" } }
If no global environment is configured, the endpoint returns an empty array [] instead of an error.
Test Types Metlo can generate various types of security tests:
Authentication Bypass Tests for authentication vulnerabilities
SQL Injection Tests for SQL injection vulnerabilities
XSS (Cross-Site Scripting) Tests for XSS vulnerabilities
BOLA (Broken Object Level Auth) Tests for authorization issues
Mass Assignment Tests for mass assignment vulnerabilities
Rate Limiting Tests for rate limiting implementation
Test Configuration Structure Generated tests follow this structure:
interface TestConfig { id : string name : string description ?: string endpoint : string method : string requests : TestRequest [] assertions ?: Assertion [] } interface TestRequest { description : string headers ?: Record < string , string > body ?: any queryParams ?: Record < string , string > expectedStatus ?: number expectedResponse ?: any } interface Assertion { type : string field : string condition : string value : any }
Use Cases Generate Tests for All Critical Endpoints # Get all high-risk endpoints curl 'https://<your-metlo-instance>/api/v1/endpoints?riskScores=HIGH' \ -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ > endpoints.json # Generate tests for each endpoint for endpoint in $( jq -r '.[].path' endpoints.json ); do host = $( jq -r '.[] | select(.path=="' $endpoint '") | .host' endpoints.json ) method = $( jq -r '.[] | select(.path=="' $endpoint '") | .method' endpoints.json ) curl "https://<your-metlo-instance>/api/v1/gen-test-endpoint?endpoint= $endpoint &host= $host &method= $method " \ -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ > "test_${ endpoint // \/ / _ }.json" done
Batch Test Generation Generate tests for all endpoints on your production API:
import requests api_key = 'metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' base_url = 'https://<your-metlo-instance>' headers = { 'Authorization' : api_key} # Get all hosts response = requests.get( f ' { base_url } /api/v1/hosts' , headers = headers) hosts = [h[ 'host' ] for h in response.json()] # Generate tests for each host for host in hosts: print ( f "Generating tests for { host } ..." ) response = requests.get( f ' { base_url } /api/v1/gen-test-endpoints' , params = { 'host' : host}, headers = headers ) tests = response.json() successful = sum ( 1 for t in tests if t.get( 'success' )) print ( f " Generated { successful } / { len (tests) } tests" )
While there’s no direct API to update the global environment via the REST API shown in the source code, you can retrieve it to understand the current configuration:
const response = await fetch ( 'https://<your-metlo-instance>/api/v1/testing/global-env' , { headers: { 'Authorization' : 'metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' } } ); const globalEnv = await response . json (); if ( Array . isArray ( globalEnv ) && globalEnv . length === 0 ) { console . log ( 'No global environment configured' ); } else { console . log ( 'Global environment:' , globalEnv ); }
Integration with CI/CD Integrate Metlo’s test generation into your CI/CD pipeline:
# GitHub Actions example name : API Security Tests on : push : branches : [ main ] schedule : - cron : '0 0 * * *' # Daily jobs : security-tests : runs-on : ubuntu-latest steps : - name : Generate tests from Metlo run : | curl 'https://<your-metlo-instance>/api/v1/gen-test-endpoints?host=api.example.com' \ -H 'Authorization: ${{ secrets.METLO_API_KEY }}' \ -o tests.json - name : Run generated tests run : | # Use your preferred test runner npm run test:security tests.json
Error Responses 400 Bad Request - Missing Parameters Returned when the required endpoint or host parameter is missing.
404 Not Found - Endpoint Not Found { "success" : false , "msg" : "Could not find endpoint." }
Returned when the specified endpoint doesn’t exist in Metlo’s database.
Best Practices
Generate Tests After Discovery
After Metlo discovers new endpoints, generate security tests to ensure they’re properly secured.
Integrate generated tests into your CI/CD pipeline for continuous security testing.
Always review generated tests before running them against production to ensure they won’t cause unintended side effects.
Use the generated tests as a starting point and customize them for your specific security requirements.
Run generated tests against staging environments before production.
Next Steps
Endpoints API Learn about managing endpoints
Alerts API View security alerts from test results