The state of public APIs in 2023

An analysis of 5138+ public APIs by

More and more companies are extending their software offering with public APIs. They enable external developers to leverage their services, open new usage streams, and empower fruitful partnerships between organizations.

APIs have become a fully parallel world wide web, where interactions between companies are entirely managed by robots, without humans in the loop. Thus, their performance, reliability, security, and developer experience are becoming increasingly important.

Yet, while website quality ranking has been a mostly solved problem since the inception of Google’s PageRank algorithm, we found no equivalent ranking for APIs.

How do Public APIs compare to each other regarding quantitative metrics of reliability, performance, security, and developer-friendly design? Using Escape’s in-house technology, we crawled 3,000+ APIs for you and compiled the results in this one-of-a-kind report.

We hope you will enjoy browsing the data and feel free to submit your own API if you want us to index it in the leaderboard.

The current data was updated on march 3, 2023.


What did we scan?

We used Escape’s in-house API scanner to crawl 5138 public OpenAPI-documented APIs on the internet. It took us 83,245 requests to gather the data.


Total scanned endpoints


Total sent requests

We gathered both OpenAPI 2.0 and OpenAPI 3.0+ specs. We observed that most public APIs rely on OpenAPI 3.0.0 Documentation. OpenAPI 3.0.1 also has some ground.

Number of apps by OpenAPI version

What metadata were included in the documentation?

Between a third and a half of documentations contained metadata such as license, contact info, and terms of services.

% of specs with licence
% of specs with contact
% of specs with TOS

Creative Commons 3.0 and Apache 2.0 are the most common licenses used for API documentations. MIT is used in only ~4% of Public API documentations.

Number of apps by license


We used our passive scanners to search for OWASP API Top 10 project vulnerabilities in the crawled APIs. An outstanding amount of APIs had minor security misconfiguration, but up to 12 percent of APIs had more serious vulnerabilities, and around half a percent had critical ones.

Considering that we ran only a passive scan, in the wild, and with no authentication provided, we consider that those results raise concerns about how many public APIs are easily exploitable by malicious actors.

% of apps with OWASP vulnerabilities

What sensitive data was found during the crawl?

During our scan, we detected a concerning amount of sensitive data being open to the wild. Specially, we found several passwords and Json Web Tokens in error messages that were publicly accessible.

Number of sensitive data found


Our dataset has a median response time of 500ms. A majority of APIs are in the 400ms-700ms range, still, there is a long tail down to a very slow 1400ms p50.

Number of APIs by response time


On this part, the results were quite good overall. Our crawl generated straight 500 errors in only 6% of tested APIs.

However, the APIs that had more than one error tend to be very unreliable.

Number of error 500 in APIs


About 90% of documentations came with a description, which is quite a good score overall.

Documentations were surprisingly well commented. On average, 60% of routes had human readable comments in specifications. However, some might have been auto generated by the underlying web framework.

Number of APIs per comment ratio

Examples however, are have not gained widespread usage, with 90% of specifications having zero examples, and less than 1% having 90%+ routes covered by examples.

Number of APIs with examples

Interestingly, the ratio of duplicated objects in the documentations was quite equally distributed.

Number of APIs per duplicated objects ratio


We crawled and analyzed 5000+ public OpenAPI-based APIs in the wild.

Our results show that while public APIs are getting more and more documented with an evident tendency towards caring about developer experience, significant improvement in the industry can still be made regarding documentation quality, response reliability, and security.

We hope to see more studies of this kind to be conducted to observe how those tendencies evolve in the future.

If you want to see how your API compares to our dataset, feel free to request us to index it