Paths are the endpoints that the API exposes to the world and the corridors that API calls must traverse to reach the resources that the API offers. All paths are relative: requests that your API consumers make must include the URL of your API server before the path.

The path itself is comprised of path items that describe the path parameters and operations on a single path:

While the OpenAPI Specification (OAS) allows empty path items on a path, this may not be what you want. The non-canonical version of the OpenAPI definition may be suitable for API documentation purposes, but proper API protection using the positive security model must be based on the canonical version. The better the paths and path are defined, the lower the chances that something goes wrong with them. This is reflected in the data definition quality: empty path items result in lower audit score.

Browse through this section to see the details of each path and path items related API security risk.