Find Hidden APIs

Step 1 – Open the Network Tab

The easiest way to find public APIs a site uses is through your browser’s DevTools. Open any page, press F12 → go to the Network tab → filter by XHR or type “.json”.

Reload the page and look for any request that ends with .json or /api/....

Step 2 – Inspect Requests

Click on any request to inspect its URL, Headers, and Response. If you see structured JSON data, that’s likely a public API endpoint used by the site.

Note the full URL — you can open it directly in a new tab.

https://example.com/data/main.json

Step 3 – Check the JavaScript Files

In DevTools → Sources tab, open any .js file and search for terms like:

"api", "fetch(", "axios(", "main.json", "/data/", "graphql"

These strings often lead to hidden or embedded API endpoints inside the code.

Step 4 – Try Common API Paths

Many sites store their public data in simple folders like:

      /data/main.json

      /feeds/changelog.xml

      /api/v1/list

      /static/feeds/

      /main.json

Just replace the domain and check if the file exists.

Step 5 – Use cURL or Postman

Once you find an endpoint, test it using command line or Postman:

curl -s "https://example.com/api/list" | jq .

This lets you view the JSON data structure and confirm it’s valid.

Step 6 – Look for Config or Manifest Files

Some sites reveal their structure through config files. Try checking:

      /manifest.json

      /static/config.js

      /index.json

These files often include paths to other data endpoints.

Step 7 – Search Locally (if mirrored)

If you’ve saved the site for offline analysis, search all files for keywords like “api” or “json”.

Select-String -Path * -Pattern "fetch(", "axios(", "main.json" -SimpleMatch

Or on Linux/macOS:

grep -R "main.json" .

Step 8 – Respect the Rules

Always check if the data is public or allowed for reuse. Never access private endpoints or break authentication. If in doubt — contact the site owner or include a removal note.

      "We only fetch public data. If you own this content and wish it removed, contact us."
    

Step 9 – Automate (Optional)

Once you’ve found stable public endpoints, automate safe syncs using GitHub Actions or serverless functions (Vercel). This helps you keep data fresh without breaking CORS or ToS.

Final Words

Finding hidden APIs is detective work — not hacking. Use it to learn how data flows, build better integrations, or create tools that connect to public sources. Always respect creators, credits, and terms of service.