If you own an enterprise API platform, you’ve probably had this conversation in the last six months: “We need to inventory everything for the security audit. Where do our APIs actually live?”
Enterprise organizations typically have multiple gateways in the mix, often deployed for different reasons by different teams. Each one has its own catalog, its own auth model, its own conventions. Without federation, most platform teams end up with a partial picture: the APIs they know about, plus whatever they can manually reconcile from each gateway’s catalog. The gaps don’t go away, they just get rediscovered during audits, migrations, or onboarding.
The downstream consequences add up:
- Developers can’t find what exists
- Security teams can’t audit what they can’t see
- Platform teams can’t enforce standards across systems
- Agents and AI workflows need a complete picture of available services to operate effectively
Federation is the answer. Rather than forcing teams to migrate APIs to a single platform, you reach into each source and surface what’s there in a unified view. Anypoint customers have been federating agents and MCP servers already and now with this release, the same pattern extends to traditional APIs across:
- Amazon API Gateway
- Azure API Management
- Kong
- Google Apigee
Configuration is per scanner, per gateway. You can run multiple scanners against the same gateway (one per AWS region, for example), and the same asset discovered by multiple scans surface only once. It’s a complete, continuously updated catalog spanning every gateway your teams use, with administrator-controlled review workflows for governance-sensitive teams.
How it works
An API Scanner is a managed component that runs inside Anypoint. It authenticates to your gateway using credentials you provide, identifies active services either manually or on a schedule, and writes those discovered assets back to Anypoint Exchange.
Some details worth knowing:
- Scanners operate within the permissions you grant them. For discovery and cataloging, only read access to your gateway is required
- Each scanner has a mode. Auto-resolve flows changes into Exchange automatically. Manual review queues changes for administrator approval before they affect the catalog.
- The scanner reads from each gateway’s runtime layerwhich means asset content reflects what’s deployed and live, not what’s drafted or planned
Example scanner creation
Let’s walk through configuring a scanner for AWS API Gateway. Below, you can see five APIs deployed in AWS that power an ecommerce stack. By the end of this section, you’ll see those APIs surfaced in Anypoint Exchange. Other gateways follow the same pattern with provider-specific credentials.
Step 1: Create the scanner in Anypoint
In Anypoint Platform, navigate to Exchange > Scanners and click Add Scanner.
Configure the scanner with:
Scanner information
- Name: must be unique across all scanners in your org
- Description: optional context for the scanner (region, team, purpose)
Scanner run configuration
- Run Schedule: Hourly, Daily, or Weekly, plus the time of day to run
- Sync Review:
- Ask to review. This is the manual review mode, and the right default for any team with formal API governance. Scanned results are held for administrator approval before they affect Exchange, which prevents pilot APIs, in-progress work, or intentionally-excluded services from being surfaced to developers prematurely.
- Auto resolvewhich flows changes through without a review step. (Best for non-production environments or low-stakes catalogs.)
Connection configuration
- Provider: Amazon
- Platform: Amazon API Gateway
- AWS Access Key ID and AWS Secret Access Key: from your IAM user
- AWS Region: the AWS region where your APIs are deployed
Click Test connection. The form returns “Connection verified successfully” when credentials are valid. Then, click Add Scanner to save. If the connection test fails, the most common causes are:
- IAM user permissions are incorrect
- Region mismatch (the scanner only sees APIs in the configured region)
- API not deployed to a stage (undeployed APIs are not discoverable)
Step 2: Run a scan and review the results
From the scanner detail page, click Actions > Run Now. The scanner moves through running and importing states as it enumerates REST APIs in the configured region. Because Sync Review is set to Ask to review, the scanner finishes in a Pending review state and surfaces a count of actions for the administrator to handle.
Clicking Review & Import on the scanner detail page opens the Scan Review screen. Each pending change is presented as a card showing the asset name, source platform, service type, and instance count. The scan results page organizes detected differences into five tabs:
- Add: Assets in the gateway that aren’t in Exchange yet
- Update: Assets in both that have changed
- Missing: Assets in Exchange that no longer exist in the gateway
- Existing: Assets that haven’t changed since the last scan
- Skipped: Assets you’ve explicitly chosen not to import
Administrators select which changes to apply by checking or unchecking each asset. Unchecked assets move to the Skipped tab on confirm. Skipped assets won’t re-surface in future scan results unless you explicitly bring them back, which is what makes manual review practical at scale. Reviewers aren’t asked to confirm pilot APIs, deprecated services, or intentionally-excluded assets every week.
Assets labeled as “Missing” will be removed from Exchange keeping the provider as the source of truth for their assets. Once selections are made, clicking Confirm & Import at the bottom of the review screen applies the selected changes to Exchange and moves the scanner back to Scheduled status.
If you’d configured Sync Review as Auto-resolve instead, scans complete without a review step and changes are applied to Exchange automatically.
Step 3: Discover the federated asset in Exchange
After Confirm & Import, the selected APIs are live in Exchange and ready for consumption. Federated APIs appear in Exchange with the gateway metadata mapped to Exchange’s standard asset model. The Exchange page includes the relevant information from the source gateway, things like API name and description, deployment context (stage, region, consumer URL), endpoint navigation by path and method, and API instances and conformance status for governance workflows.
From this page, developers can also share the asset, download the spec, and view the code in Design Center. Additionally, Platform teams can apply governance rulesets and surface these services in their API Experience Hub developer portals.
How scanners surface gateway data
Here’s what to expect after a scanner has been configured: Scanners read each gateway’s runtime layer. That means the asset data in Exchange reflects what’s deployed and live in your gateway, not draft configurations or design-time specs. This produces an inventory grounded in production reality, which is exactly what governance teams want for audits and architecture reviews.
What “runtime layer” looks like varies by provider:
- AWS API Gateway exposes the deployed REST API definition, including stage information, resources, and methods
- Azure API Management exposes the published API definition with operations
- Apigee exposes proxy configurations, plus any OpenAPI spec attached to the proxy’s resources folder
- Kong exposes gateway services and routes
Asset detail in Exchange is normalized. Each scanner maps gateway metadata into Exchange’s object model, which keeps discovery and governance workflows consistent across providers. If you have provider-specific metadata fields that you’d like surfaced in Exchange, the Salesforce Ideas Exchange is the right place to share that feedback.
Getting started
If you’re managing APIs across multiple gateways today, API Scanners give you a real path to unified inventory without forcing your teams to migrate or change their gateway choices. Configure a scanner per gateway, set the mode that matches your governance model, and let Exchange become the source of truth for what your organization actually runs.
To get started, navigate to Exchange > Scanners in the Anypoint Platform. Don’t see the tab? Reach out to your Account Executive to learn more about enabling API Scanners for your organization. To see the full workflow in action, check out the demo video covering all four gateways.
