Domain dev-api.powertoys.ai
Ireland
Software information
Kestrel
tcp/443
-
Swagger API description is publicly available
Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
First seen 2026-01-11 15:46-
Severity: info
Fingerprint: 5733ddf49ff49cd1f3d88d605668142ebc4c0faf2a86f45f7fa901330c03a1e0Public Swagger UI/API detected at path: /swagger/v1/swagger.json - sample paths: GET /api/Billing/public-params GET /api/Billing/session-status/{sessionId} GET /api/Billing/subscription-list GET /api/Portrait/model-list/{genderuxkey} GET /api/Portrait/model-photo-list GET /api/Portrait/model-photo-list/{FluxLoraPortraitTrainingId} GET /api/Portrait/model-photo/{id} GET /api/Portrait/model/{id} GET /api/Portrait/template-list/{genderuxkey} GET /api/User/profile POST /api/Billing/cancel-subscription POST /api/Billing/create-checkout-session/{uxKey} POST /api/Billing/enroll-free POST /api/Portrait/model-photo-feeling-lucky/{portraitId} POST /api/Portrait/model-photo-prompt/{portraitId} POST /api/Portrait/model-photo-template/{portraitId}/{templateId} POST /api/Portrait/train POST /api/Portrait/train/{genderUXKey}/{nickName}Found on 2026-01-11 15:46
-
-
Open service 13.74.252.44:443 · dev-api.powertoys.ai
2026-01-11 15:46
HTTP/1.1 401 Unauthorized Content-Length: 0 Connection: close Date: Sun, 11 Jan 2026 15:47:23 GMT Server: Kestrel Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache WWW-Authenticate: Bearer Strict-Transport-Security: max-age=31536000; includeSubDomains Request-Context: appId=cid-v1:b4038f22-abc7-4dd0-968b-957d75648035 X-XSS-Protection: 0 X-Frame-Options: deny X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; frame-ancestors 'none';
Found 2026-01-11 by HttpPluginCreate report
-
Open service 13.74.252.44:80 · dev-api.powertoys.ai
2026-01-11 15:46
HTTP/1.1 301 Moved Permanently Content-Length: 0 Connection: close Date: Sun, 11 Jan 2026 15:47:23 GMT Location: https://dev-api.powertoys.ai/
Found 2026-01-11 by HttpPluginCreate report