Freemium User FAQ

Helping you fix Your APIs today and prevent API breaches tomorrow

This FAQ page addresses the most commonly asked questions by freemium users of our API Security Testing services. If you don’t find the answer to your questions below, please contact us or log a ticket on our support desk and we’ll do our best to answer your question.

We have arranged the questions into 4 groups

Freemium User FAQs
Free API Security Testing FAQs
Additional FAQs
Subscription Upgrade FAQs

Freemium FAQs

Freemium allows users to use our API security testing solutions for free with limited monthly usage once it is for non-commercial / non-production use.

What is included in the Freemium Offering?

Both our API Audit and API Scan services are available for free, with usage restrictions, in your IDE and CI/CD pipelines. The freemium version is designed solely for non-production use. You get 25 full security audits and scans per month in CI/CD and IDE, by full we mean the complete OpenAPI definition is audited / scanned. You also get 100 API operation audits and scans per month in the IDE only. An "operation" audit or scan is where a single operation within the OpenAPI definition can be checked for security weakness.

What level of support do I get with Freemium?

With freemium we provide these FAQs and self-serve tutorial videos. You can also register your query in our support section and we will do our best to respond within a reasonable time.

Can I collaborate with other people on the same API?

On the free service you cannot collaborate with other users working on the same API, this is available only to paid subscribers.

What happens when I reach my limit for the month?

You have a few options:

Upgrade your account with 42Crunch - see pricing. For reasons why you should upgrade, see the upgrade section.
Conduct a free enterprise trial - time limited.
Contact us to learn more about our API Security testing and API Runtime protection services.
Continue as you are, but wait until the end of the time period for the free 30 day allowance to restart.

API Security Testing FAQs

Below are questions specifically related to using our API security tools as a freemium user. Additional "how to" videos can be found in our tutorial videos section.

What is API Security Audit?

API Audit is a 42Crunch static API testing service that helps users find and fix issues with their OpenAPI contracts during the design time and avoid releasing unprotected APIs.

API Audit performs over 300+ checks on the OpenAPI Contract checking for adherence to the OpenAPI specification, data definition quality (how well your schema is defined) and potential security vulnerabilities.

Where can I run the API Security Audit from?

API Audit is available from a number of IDE marketplaces (via the openAPI Editor) and CI/CD platforms (as a plugin). It is available either for free with limited usage or on the 42Crunch platform as a paid subscription.

How do I run the API Audit from the IDE?

You can run the audit from the 42Crunch OpenAPI editor in VS Code, IntelliJ and Eclipse.

First you need to activate the service. Here is a short video to explain.

Once the Audit service is active you can take a look at the tutorial video page on how to run the API Security Audit.

How do I run the API Audit from CI/CD?

You can run the audit for freemium users from GitHub Actions. We will be expanding to Azure DevOps and other CI/CD platforms in the coming months.

Please take a look at a tutorial video on how to run the API Security Audit & API Scan for freemium users from GitHub.

What is API Conformance Scan?

API Scan is a dynamic API Security Testing tool for REST API. This means that API Scan sends real API traffic to your API and examines and validates the responses.

The tests are automatically created by using the API's OpenAPI Definition file (OpenAPI Contract) to test the following:

Does the API conform to the API Design i.e. does it do what it is supposed to do according to the design
Does it perform as it is supposed to - does it only allow the expected traffic and reject not expected traffic.
Are there any security weakness based on how the API is implemented.

Here is an explainer video

Where can I run the API Scan from?

API Scan is available in VS Code IDE (via the 42Crunch OpenAPI Editor extension) and GitHub Actions CI/CD. It is available for free with limited usage and non commercial basis (see Freemium FAQ section above).

You can also run API Scan on the 42Crunch platform. This is available only to paid subscribers.

How do I run the API Scan from IDE?

There is an option to run API Scan for freemium users from VS Code IDE We will be expanding to IntelliJ and Eclipse in the coming months.

Please visit our dedicated video tutorial page on running API scan in VS code

How do I run the API Scan from CI/CD?

There is an option to run the API Scan for freemium users from GitHub Actions. We will be expanding to Azure DevOps and other CI/CD platforms in the coming months.

Please take a look at a tutorial video on how to run the API Security Audit & API Scan for freemium users from GitHub.

How does API Security Testing work with 42Crunch?

API Security Testing with 42Crunch combines a number of our tools and integrates in the development lifecycle of the API as follows:

OpenAPI Editor - we help developers create and edit OpenAPI definition files using our Free OpenAPI editor tool in their favorite IDEs
API Audit - checks the API Design file for different structure, semantic and security flaws, marks the API Design file out of a score of 100 and also offers remediation advice and quick ways to fix the issues identified. This way you can quickly fix and create a robust OpenAPI contract. (more info above)
API Scan - checks the actual API for security flaws by sending dynamic traffic to it. The tests we do are based on the API design file of the same API. More Above

Now we also add in some additional things like data dictionaries to help standardize definitions used across all APIs, security quality gates that can prevent changes to APIs going into production without first having passed an approved score in both the API Audit and API Scan checks and finally we give all of this visibility to security teams which enables security teams and development teams work together with agreed security policies in a faster and more secure development process.

There are multiple benefits to upgrading to a paid subscription (see section below) but if you are unsure then please request an introductory call with one of our pre-sales engineers who can discuss your requirements with you.

I am a GitHub user, how can I setup API security testing for free?

We have put together this video to help you use our API Security Testing Tools from GitHub Actions as a Free User

One of the best API security testing and assessment tools. It makes it easy for developers to build APIs due to its feature of testing the API against 300+ vulnerabilities in data whether it be at rest or transit.

Additional FAQs

Below are some additional questions we get asked a lot. Let us know if you have any other questions

Which IDEs do you support for Freemium?

Currently we support VSCode from Microsoft for freemium. IntelliJ from Jetbrains and Eclipse will follow. All three integrate with our API Security platform and paid subscriptions.

Which CI/CD pipelines do you support?

Currently 42Crunch offers a freemium solution on GitHub Actions CI/CD. We will be adding Azure DevOps soon.

For paid customers we offer integrations with Bitbucket, Azure Pipelines, Bamboo, Jenkins, Gitlab, GitHub Actions and Sonarqube. We also offer an API audit container for custom integrations.

I currently use the 42Crunch API Audit which I got from one of the IDE marketplaces. Is this different to the freemium option from CI/CD?

Essentially the API audit on IDE and CI/CD are the same so when you run an audit in IDE or CI/CD both run the same checks on the OpenAPI contract. There are some differences however between IDE and CI/CD functionality as these platforms are different. In the IDE for example you can edit the OpenAPI contract while in the CI/CD you cannot. This is why you get extra allowance to run 100 operation audits in the IDE. You can also view the Audit and Scan reports in the IDE whereas you cannot see the full report on the CI/CD pipeline. We can push the results into GitHub Codespaces for CI/CD though.

What is Data Dictionary?

The Data Dictionary capability helps organizations define a dictionary of formats that should be used in APIs.

By harmonizing what formats your APIs can accept you can increase their security as the stricter data definition quality for input and output data narrows down the attack surface.

For developers, this means that they do not have to reinvent the wheel but can check the data dictionaries for formats already in use and use the existing ones.

Here is an explainer video

Do I have to use the Data Dictionaries?

The freemium edition does not come with a data dictionary

With a paid subscription multiple data dictionaries can be created and customized to meet your organization’s specific needs.

What is a Security Quality Gate (SQG)?

Security Quality Gates (SQGs) help implement security compliance and governance across the enterprise.

SQGs can highlight or prevent APIs or changes to APIs from being committed via CI/CD pipelines without first having passed an approved threshold. SQGs apply both to API Audit and API Scan static and dynamic reports.

In the IDE, SQGs will highlight to the developer if the score on either the API Audit or API Scan reports is not sufficient to pass the required standard.

In CI/CD there is an option to either enforce the SQG or just report on the SQG.

For paid subscriptions you can customize the SQGs.

This video will explain Security Quality Gates

Do I have to use Security Quality Gates?

For paid subscribers In the IDE, you can see the security quality gates status. This means developers can determine whether they would pass the SQG threshold.

In the CICD pipeline, SQGs enforcement can be turned on or off.

Subscription Upgrade FAQs

Below are some frequently asked questions in relation to how and why to upgrade your subscription.

Can I purchase extra Audit and Scan allowances for one or two months?

Yes. You can upgrade to a paid solution offering either on a monthly or annual subscription level. See Pricing.

If you want to only purchase for one or two months then you will need to cancel your monthly subscription when you no longer need it any more.

Why should I upgrade to a paid subscription?

If you want to collaborate as part of a team, or increase the volume of audits and scans as you get closer to production, then you should consider upgrading to a paid subscription model to get unlimited usage.

You also can avail of other features such as customized Security Quality Gates and Data Dictionaries.

Can I buy a single developer solution?

Yes. We offer a sliding scale of prices from a base entry level price for up to 5 users all the way to 25 users as part of our Teams pricing.

If you have any special requests please contact us.

What level of support do I get with a paid subscription?

42Crunch offers both Standard and Premium Support and Maintenance services for the 42Crunch Platform.

The services delivered are subject to the Master Customer Agreement entered into between a paying subscriber and 42Crunch.

For further information about our support levels please contact us.

Can my team get a no usage limits free trial of the 42Crunch services?

Yes. We offer a full enterprise free trial, with unlimited API Security Audits and Scans for up to 50 users and 50 APIs for a 90 day period.

What are my subscription payment options?

You can use your credit card to pay for any monthly or annual "Teams' subscription.

If you sign up for any annual subscription then we can arrange that you pay by bank transfer. Please contact us to arrange this option.

I have a teams account how can I upgrade to add more users?

You can upgrade your "Teams" subscription by using the billing portal to upgrade to the next "Teams" level or contact our sales team for an Enterprise account (25+ users working on 10+ APIs).

How do I cancel my subscription?

If you are on a "Teams" subscription then you can manage your subscription by logging into the billing portal.

If you are an enterprise customer you can contact our billing team or your account manager directly.

What additional API Security services does 42Crunch provide?

42Crunch API Security Platform

The 42Crunch API Security platform proactively tests, fixes and protects APIs from development to runtime. It offers a range of services in addition to the security testing capabilities of API Audit and Scan outlined above. These additional services are:

API Capture - Available extra to paid subscribers only.

Don't want to build OpenAPI contracts from scratch or have lots of APIs without OpenAPI design files? API Capture can use traffic data, Postman collections, API test configurations and even half built OpenAPI files to automatically build OpenAPI contracts saving your developers lots of time and effort. It will also save your front end, backend teams and testing teams time as they now have a design file to work off.

Here is a video explainer:

API Protect - Available extra to paid subscribers only.

API Protect is an API micro-firewall that enforces the API security policy at runtime. It creates an allowlist of valid operations from the API's OpenAPI contract and enforces the contract on all incoming and outgoing operations. The micro-firewall will automatically change when any changes are made to the OpenAPI contract.