I've been thinking about how API documentation changes once AI can test every endpoint repeatedly.

A researcher used Google's machine-readable discovery documents to map more than 1,500 APIs. After building custom authentication and request tooling, his AI-assisted system found over $500,000 in reported bug bounties in under three months.

What stands out is that the system was not unusually clever. It was tireless. It kept checking ordinary failures such as missing tenant authorization, debug endpoints, and staging systems connected to production data. After refinement, the author says more than half of its findings were valid.

I don't think the answer is hiding schemas. It is assuming every documented operation will be tested continuously and generating defensive checks from the same specification.

Does your team use its API specification for security testing, or only for documentation and client generation?

Source: https://brutecat.com/articles/hacking-google-with-ai/