Detect exposed GraphQL endpoints and analyze schemas for sensitive data, dangerous mutations, and security misconfigurations.
Probes 10+ common GraphQL paths to find exposed endpoints
Tests if full schema introspection is enabled in production
Identifies types and fields that may expose PII, credentials, or secrets
Catalogs all queries, mutations, and types with security scoring
GraphQL introspection allows anyone to discover your entire API schema — every query, mutation, type, and field. While useful in development, leaving it enabled in production is like publishing your database schema publicly. Attackers can use it to find sensitive fields (passwords, tokens), discover admin mutations, and craft targeted attacks against your API. Major security frameworks (OWASP, Apollo) recommend disabling introspection in production environments.