ECZ-ID API Security

Find API surfaces and review their identity and proof posture locally.

Free, local-first. No source upload. No sign-in to run a check.

• Surfaces OpenAPI / Swagger, GraphQL and API-route definitions.
• Plain-English posture per detected API surface.
• Routes to Resolver lookup and supported setup.

What you can do in under a minute

1. Open or scan the workspace — run ECZ-ID API Security: Scan Workspace.
2. Review findings in plain English — grouped, with neutral posture.
3. Open Resolver guidance or continue supported setup where relevant.

What it looks for

• OpenAPI / Swagger documents (openapi.*, swagger.*).
• GraphQL schemas (*.graphql, schema definitions).
• API route definitions and gateway/config references.
• Whether a resolver reference is present for a detected API surface.

What results mean

Results describe public-proof posture, never a safety, approval, certification or compliance verdict:

resolvable · partial public proof · no public proof reference found yet · review recommended · re-check before reliance · your local policy decides.

There is no “pass/fail”. Local policy decides what is sufficient, and you should re-check before reliance.

Recommended next steps

• Inspect the finding — plain-English detail, no verdict.
• Copy verification guidance — a claim-free snippet you can share.
• Open Resolver — read-only public proof lookup.
• Continue supported setup — hand off to TrustOps (metadata only).
• Open documentation — Developer Gateway.
• Re-check later — re-run before you rely on a result.

Privacy & permissions

See the bundled PRIVACY.md for the full notice.

Frequently asked questions

Is this extension free?

Yes. Every local check is free — you never need to sign in or pay to run one.

Does it upload my source code?

No. No source, prompts, secrets or tool payloads ever leave your device, and there is no telemetry.

Does it read my file contents?

It reads filenames and paths during a scan. It only reads the contents of a file you explicitly ask it to inspect (for example an ecz-*.json you choose to validate).

Does a missing proof reference mean something is unsafe?

No. “No public proof reference found yet” is neutral — it is not a verdict of “unsafe”. It only means resolver-verifiable public proof was not detected.

What does Resolver do?

Resolver is a read-only public proof lookup. The extension can open it so you can check public proof yourself; the extension never writes, activates or decides anything.

Do I need an ECZ-ID before using the extension?

No. You can run every local check without one. An ECZ-ID is only relevant if you later choose supported setup in TrustOps.

What happens when I continue supported setup?

The extension hands off to TrustOps with metadata only. It runs no checkout itself; TrustOps handles acquisition, setup and lifecycle.

Can this extension make a compliance or approval decision?

No. It surfaces posture and routes you to proof. Local policy decides sufficiency; it never certifies, approves or guarantees.

Is this a penetration tester?

No. It does not perform a penetration test, scan running traffic, or guarantee security. It surfaces API artefacts and posture from local files.

Does it inspect live API traffic?

No. It reads only local files — OpenAPI/Swagger, GraphQL schemas and route definitions.

What it does not do

• No source / prompt / secret upload, and no telemetry.
• Writes no canonical truth, decides no BOUND state, creates no entitlement.
• Makes no safety, approval, certification or compliance claim. Does not perform a penetration test, scan running traffic, or guarantee security. It surfaces API artefacts and posture from local files.
• Runs no checkout or payment — commercial actions happen only in TrustOps.

Install & first use

1. Install ECZ-ID API Security from the Visual Studio Marketplace (publisher EcoCitizenz).
2. Open a project and trust the workspace.
3. Run ECZ-ID API Security: Scan Workspace and review the grouped findings.

Links & support

• Resolver (read-only proof): https://resolver.ecocitizenz.org
• TrustOps (supported setup): https://trustops.ecocitizenz.com/start
• Developer Gateway (docs & support): https://developers.ecocitizenz.com
• Privacy: see the bundled PRIVACY.md file

ECZ-ID is an independent project and is not affiliated with or sponsored by Microsoft, GitHub, VS Code, OpenAI, Anthropic, Google, or AWS. ECZ-ID helps make identity, authority, and resolver posture easier to review. Local policy decides whether this is sufficient.