API Zombie

Definition

An API Zombie is an API endpoint that continues to operate in production despite being abandoned, deprecated, or no longer actively maintained. Unlike Shadow APIs (which were never documented), Zombie APIs were once official, documented endpoints that have lost their owners and maintainers.

These APIs are dangerous because they appear legitimate—they’re in your documentation, they still work, and they might even have test coverage—but nobody is actively monitoring, patching, or updating them. When vulnerabilities are discovered, there’s no one responsible for fixing them.

Zombie APIs typically emerge through organizational changes: developers leave the company, teams are reorganized, products are sunset but their APIs remain running “just in case.” They’re the technical debt of the API world.

Example

Scenario: The Login v1 API

In 2018, your company launches a mobile app with a login endpoint:

// POST /api/v1/auth/login - Created 2018
app.post('/api/v1/auth/login', (req, res) => {
  const { username, password } = req.body;
  // Uses MD5 hashing (weak by 2018 standards)
  const hash = md5(password);
  const user = db.findUser(username, hash);
  res.json({ token: generateToken(user) });
});

In 2020, you release v2 with bcrypt hashing. In 2022, the mobile team migrates to v2. But v1 is never shut down because “some legacy clients might still use it.”

2024: The original developer left in 2021. Nobody remembers v1 exists. It’s still processing 5,000 logins/day from forgotten integrations. A security researcher finds it still uses MD5 hashing. There’s no owner to notify, no security team monitoring it, no deprecation timeline.

Result: You have a Zombie API—documented, functional, but abandoned and vulnerable.

Analogy

The Abandoned House: Imagine a house whose owner moved away but didn’t sell or demolish it. The utilities are still connected, mail still arrives, but nobody lives there or maintains it. Over time, the roof leaks, pipes corrode, and squatters move in. Neighbors assume someone owns it because the lights are still on. A Zombie API is this house in your infrastructure—still powered, still responding, but nobody’s home.

The Unmaintained Bridge: A bridge built decades ago still carries traffic daily. But the original engineers retired, the construction company went bankrupt, and no government agency took ownership. When inspectors find cracks, there’s nobody to call. It works until it doesn’t—catastrophically. Zombie APIs are these bridges in your API landscape.

Code Example

How Zombie APIs are created:

// 2018: Original implementation
app.post('/api/v1/users/create', createUser);
// Owner: Alice ([email protected])

// 2020: New version released
app.post('/api/v2/users/register', createUserV2);
// Owner: Bob ([email protected])

// 2021: Alice leaves company
// 2022: Bob moves to different team
// 2023: v1 still processes 2K requests/day
// 2024: CVE discovered in v1's dependency
// Problem: Nobody knows who owns v1 anymore

Detection: Finding Zombie APIs

// Cross-reference API inventory with employee database
const apiInventory = await getAPIs();
const currentEmployees = await getEmployees();

const zombieCandidates = apiInventory.filter(api => {
  const owner = api.metadata.owner;
  const isActive = currentEmployees.includes(owner);
  const lastUpdated = api.metadata.lastUpdated;
  const isStale = Date.now() - lastUpdated > 365 * 24 * 60 * 60 * 1000; // 1 year

  return !isActive || isStale;
});

console.log(`Found ${zombieCandidates.length} potential Zombie APIs`);
// Output: Found 23 potential Zombie APIs

// Analyze traffic to determine if they're still used
zombieCandidates.forEach(async api => {
  const traffic = await analyzeTraffic(api.path, { days: 30 });
  console.log(`${api.path}: ${traffic.requests} requests/month`);
  console.log(`  Owner: ${api.metadata.owner} (left company)`);
  console.log(`  Last updated: ${api.metadata.lastUpdated}`);
  console.log(`  Risk: ${traffic.requests > 1000 ? 'HIGH' : 'MEDIUM'}`);
});

Diagram

graph TB
    A[API Created 2018] -->|Developer Alice| B[Documented & Maintained]
    B -->|2020: v2 Released| C[Deprecated but Running]
    C -->|2021: Alice Leaves| D[No Owner]
    D -->|2022: v2 Default| E[Still Processing Traffic]
    E -->|2024: CVE Found| F[Zombie API]
    F -->|Problem| G[Nobody to Patch]
    F -->|Problem| H[Still Has Users]
    F -->|Problem| I[Security Risk]
    style A fill:#c8e6c9
    style B fill:#c8e6c9
    style C fill:#fff9c4
    style D fill:#ffcc80
    style E fill:#ffcc80
    style F fill:#ffcdd2
    style G fill:#ff6b6b
    style H fill:#ff6b6b
    style I fill:#ff6b6b

Security Notes

Best Practices

1. Mandatory ownership: Every API must have a current employee as owner. When employees leave, reassign or sunset their APIs
2. Automatic sunset dates: All APIs get a default 3-year expiration unless renewed
3. Traffic monitoring: Alert if deprecated APIs receive traffic
4. Force deprecation: After 6 months notice, actually shut down deprecated APIs (don’t leave them running indefinitely)
5. Documentation discipline: Keep API catalog metadata current (owner, status, last-updated)
6. Exit interviews: When developers leave, audit their APIs

Common Mistakes

Mistake 1: “We can’t shut it down, someone might be using it” If you don’t know who’s using a deprecated API after 6+ months notice, that’s a governance problem. Unknown clients using undocumented endpoints is worse than temporary breakage.

Mistake 2: Keeping Zombie APIs “just in case” Every running API costs money (infrastructure, security monitoring, compliance) and creates risk. If nobody’s willing to own it, it should be shut down.

Mistake 3: Assuming v2 clients migrated Just because you released v2 doesn’t mean all clients upgraded. Explicitly measure traffic to v1 and contact high-volume users before deprecation.

Mistake 4: No deprecation communication plan Announcing deprecation in release notes isn’t enough. Email registered clients, add deprecation headers to API responses, and log which clients are still using deprecated endpoints.

Zombie API vs Shadow API

Both require similar remediation: Identify owners, assess usage, plan migration or sunset.

Deprecation Process

Healthy API Deprecation:

// 1. Announce deprecation with timeline (6-12 months)
app.use('/api/v1/*', (req, res, next) => {
  res.set('Sunset', 'Sat, 31 Dec 2024 23:59:59 GMT');
  res.set('Deprecation', 'true');
  res.set('Link', '<https://api.example.com/v2>; rel="successor-version"');
  next();
});

// 2. Log which clients are still using deprecated endpoints
app.use('/api/v1/*', (req, res, next) => {
  logDeprecatedUsage({
    endpoint: req.path,
    client: req.headers['user-agent'],
    timestamp: Date.now()
  });
  next();
});

// 3. Contact high-volume clients directly
// 4. After sunset date, return 410 Gone
app.use('/api/v1/*', (req, res) => {
  res.status(410).json({
    error: 'API version 1 was sunset on Dec 31, 2024',
    migration: 'https://docs.example.com/migration/v1-to-v2'
  });
});

Related Tools

API Lifecycle Management:

• Postman: Track API versions and deprecation status
• SwaggerHub: Document deprecation timelines
• Azure API Center: Centralized API inventory with ownership tracking

Monitoring:

• Datadog: Alert on traffic to deprecated endpoints
• New Relic: Track which clients use which API versions
• Akto: Detect unmaintained APIs through metadata analysis

Assessment: Use the Shadow API Detection Tool - also detects Zombie APIs by analyzing ownership metadata.

Further Reading

📚 Book: “Cómo Identificar Shadow APIs Con Herramientas Open Source”

While focused on Shadow APIs, this book covers comprehensive API governance including Zombie API detection and deprecation strategies.

• 🇬🇧 English Edition
• 🇪🇸 Spanish Edition

Relevant chapters:

• Chapter 4: API Discovery and Inventory Management
• Chapter 6: Governance Frameworks for API Lifecycle
• Chapter 8: Deprecation and Sunset Strategies

Related Terms