Domain api.tokoro.space
United States
Software information
Heroku
tcp/443 tcp/80
-
Swagger API description is publicly available
Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
First seen 2025-10-21 02:42
Last seen 2026-01-09 12:00
Open for 80 days-
Severity: info
Fingerprint: 5733ddf49ff49cd151e75e4b28aed0a834897a8e6d405fb20ed7175d39b9e8fcPublic Swagger UI/API detected at path: /v3/api-docs - sample paths: DELETE /collections/{collectionId}/places/{placeId} DELETE /users/history/rollback DELETE /users/history/rollback/action/{action} DELETE /users/history/rollback/timestamp-range GET /about GET /blogs GET /blogs/ GET /blogs/{id} GET /chat-histories/users/me GET /chat-histories/users/{userId} GET /chat-histories/{id} GET /collections/me GET /collections/search GET /collections/users/{userId} GET /collections/{collectionId} GET /error GET /features GET /features/ GET /features/{id} GET /places GET /places/ GET /places/batch GET /places/nearby GET /places/random/{count} GET /places/{id} GET /privacy GET /ratings GET /ratings/ GET /ratings/{id} GET /reviews GET /reviews/ GET /reviews/place/{placeId} GET /reviews/user/{userId} GET /reviews/{id} GET /testimonials GET /testimonials/ GET /testimonials/by-status GET /testimonials/random/{count} GET /testimonials/user/{userId} GET /testimonials/{id} GET /users GET /users/ GET /users/history GET /users/history/action/{action} GET /users/history/as-places GET /users/history/count GET /users/history/establishment-id/{establishmentId} GET /users/history/exists/timestamp GET /users/history/search/action GET /users/history/search/establishment-id GET /users/history/sort/timestamp GET /users/history/sort/timestamp-desc GET /users/history/timestamp GET /users/me GET /users/preferences GET /users/{id} GET /users/{id}/is-blocked PATCH /testimonials/{id}/status PATCH /users/{id}/metadata PATCH /users/{id}/name PATCH /users/{id}/nickname POST /about/ POST /collections POST /collections/ POST /collections/{collectionId}/places POST /places/search POST /privacy/ POST /users/{id}/avatar POST /users/{id}/block POST /users/{id}/roles POST /users/{id}/unblock PUT /users/preferences/categories PUT /users/preferences/language PUT /users/preferences/notifications-enabled PUT /users/preferences/timezoneFound on 2026-01-09 12:00
-
-
Swagger API description is publicly available
Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
First seen 2025-10-21 02:42
Last seen 2026-01-10 00:28
Open for 80 days-
Severity: info
Fingerprint: 5733ddf49ff49cd151e75e4b28aed0a834897a8e6d405fb20ed7175d39b9e8fcPublic Swagger UI/API detected at path: /v3/api-docs - sample paths: DELETE /collections/{collectionId}/places/{placeId} DELETE /users/history/rollback DELETE /users/history/rollback/action/{action} DELETE /users/history/rollback/timestamp-range GET /about GET /blogs GET /blogs/ GET /blogs/{id} GET /chat-histories/users/me GET /chat-histories/users/{userId} GET /chat-histories/{id} GET /collections/me GET /collections/search GET /collections/users/{userId} GET /collections/{collectionId} GET /error GET /features GET /features/ GET /features/{id} GET /places GET /places/ GET /places/batch GET /places/nearby GET /places/random/{count} GET /places/{id} GET /privacy GET /ratings GET /ratings/ GET /ratings/{id} GET /reviews GET /reviews/ GET /reviews/place/{placeId} GET /reviews/user/{userId} GET /reviews/{id} GET /testimonials GET /testimonials/ GET /testimonials/by-status GET /testimonials/random/{count} GET /testimonials/user/{userId} GET /testimonials/{id} GET /users GET /users/ GET /users/history GET /users/history/action/{action} GET /users/history/as-places GET /users/history/count GET /users/history/establishment-id/{establishmentId} GET /users/history/exists/timestamp GET /users/history/search/action GET /users/history/search/establishment-id GET /users/history/sort/timestamp GET /users/history/sort/timestamp-desc GET /users/history/timestamp GET /users/me GET /users/preferences GET /users/{id} GET /users/{id}/is-blocked PATCH /testimonials/{id}/status PATCH /users/{id}/metadata PATCH /users/{id}/name PATCH /users/{id}/nickname POST /about/ POST /collections POST /collections/ POST /collections/{collectionId}/places POST /places/search POST /privacy/ POST /users/{id}/avatar POST /users/{id}/block POST /users/{id}/roles POST /users/{id}/unblock PUT /users/preferences/categories PUT /users/preferences/language PUT /users/preferences/notifications-enabled PUT /users/preferences/timezoneFound on 2026-01-10 00:28
-
-
Open service 99.83.217.1:80 · api.tokoro.space
2026-01-10 00:28
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Sat, 10 Jan 2026 00:30:00 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=x%2ByA7KLchddTEfGl0tc6I4NmGAoS4MsBBC%2BT3bXPmg0%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1768005000"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=x%2ByA7KLchddTEfGl0tc6I4NmGAoS4MsBBC%2BT3bXPmg0%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1768005000" Server: Heroku Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2026-01-10 by HttpPluginCreate report
-
Open service 99.83.217.1:443 · api.tokoro.space
2026-01-09 12:00
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Fri, 09 Jan 2026 12:00:19 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=KoYrz%2FcUjdFV2T7cUlktaPcY2EGMYNGWSpCcWRusaac%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1767960019"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=KoYrz%2FcUjdFV2T7cUlktaPcY2EGMYNGWSpCcWRusaac%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1767960019" Server: Heroku Strict-Transport-Security: max-age=31536000 ; includeSubDomains Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2026-01-09 by HttpPluginCreate report
-
Open service 99.83.217.1:443 · api.tokoro.space
2026-01-02 20:47
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Fri, 02 Jan 2026 20:47:01 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=nwEG5lHyXI%2BOesYxjLrGQejnmcOH5t7Kyl3eliNDDWs%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1767386821"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=nwEG5lHyXI%2BOesYxjLrGQejnmcOH5t7Kyl3eliNDDWs%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1767386821" Server: Heroku Strict-Transport-Security: max-age=31536000 ; includeSubDomains Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2026-01-02 by HttpPluginCreate report
-
Open service 99.83.217.1:80 · api.tokoro.space
2026-01-02 19:44
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Fri, 02 Jan 2026 19:44:57 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=xjinC4hm5LHRYBp%2FYdvKT5GLc3PAgkks1rOb4p2yePI%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1767383097"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=xjinC4hm5LHRYBp%2FYdvKT5GLc3PAgkks1rOb4p2yePI%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1767383097" Server: Heroku Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2026-01-02 by HttpPluginCreate report
-
Open service 99.83.217.1:80 · api.tokoro.space
2025-12-23 09:06
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Tue, 23 Dec 2025 09:06:11 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=lLU61KFINSUb2CHQW1GKOR7LkdruAJGdhGk%2FE7cbJuM%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1766480771"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=lLU61KFINSUb2CHQW1GKOR7LkdruAJGdhGk%2FE7cbJuM%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1766480771" Server: Heroku Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2025-12-23 by HttpPluginCreate report
-
Open service 99.83.217.1:443 · api.tokoro.space
2025-12-23 00:06
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Tue, 23 Dec 2025 00:06:40 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=7XDd6Kl2e5tfANvX%2FW62Gd4hlX9Y9LDUCtMBinyxICE%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1766448400"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=7XDd6Kl2e5tfANvX%2FW62Gd4hlX9Y9LDUCtMBinyxICE%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1766448400" Server: Heroku Strict-Transport-Security: max-age=31536000 ; includeSubDomains Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2025-12-23 by HttpPluginCreate report
-
Open service 99.83.217.1:80 · api.tokoro.space
2025-12-21 06:00
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Sun, 21 Dec 2025 06:00:20 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=NFMKP9napDdEn2pMu5gB05fI7n5U8FmFHZ02FEjeqos%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1766296820"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=NFMKP9napDdEn2pMu5gB05fI7n5U8FmFHZ02FEjeqos%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1766296820" Server: Heroku Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2025-12-21 by HttpPluginCreate report
-
Open service 99.83.217.1:443 · api.tokoro.space
2025-12-21 01:54
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Sun, 21 Dec 2025 01:54:17 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=ySbmvzEqE5JE%2BdHmibjfHEDneu1cvlO8Cu2ypj6XqzA%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1766282057"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=ySbmvzEqE5JE%2BdHmibjfHEDneu1cvlO8Cu2ypj6XqzA%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1766282057" Server: Heroku Strict-Transport-Security: max-age=31536000 ; includeSubDomains Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2025-12-21 by HttpPluginCreate report
-
Open service 99.83.217.1:80 · api.tokoro.space
2025-12-19 07:21
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Fri, 19 Dec 2025 07:21:16 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=xWBUKv3yMyHHsSZTR3P7jg1lGuyoqe1zqfj9X1NiVcY%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1766128876"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=xWBUKv3yMyHHsSZTR3P7jg1lGuyoqe1zqfj9X1NiVcY%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1766128876" Server: Heroku Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2025-12-19 by HttpPluginCreate report
-
Open service 99.83.217.1:443 · api.tokoro.space
2025-12-19 04:53
HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Fri, 19 Dec 2025 04:53:34 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=wGetXEf4zWvtndFwavbMyc47%2BIVXIBZbxRCwcCSM1jQ%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1766120014"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=wGetXEf4zWvtndFwavbMyc47%2BIVXIBZbxRCwcCSM1jQ%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1766120014" Server: Heroku Strict-Transport-Security: max-age=31536000 ; includeSubDomains Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 heroku-router Www-Authenticate: Bearer X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 0 Connection: closeFound 2025-12-19 by HttpPluginCreate report