Recon
Install ffuf
brew install ffuf
sudo apt install ffuf
AI Endpoint Directory Enumeration
Use ffuf with a custom wordlist to discover AI/LLM API endpoints.
GET Request Scan
ffuf -u http://TARGET:PORT/FUZZ -w wordlist.txt
POST Request Scan
ffuf -u http://TARGET:PORT/FUZZ -w wordlist.txt -X POST
Filter by Status Code
ffuf -u http://TARGET:PORT/FUZZ -w wordlist.txt -mc 200,301,401,403,405
Filter by Response Size
ffuf -u http://TARGET:PORT/FUZZ -w wordlist.txt -fs 0
With Authentication Header
ffuf -u http://TARGET:PORT/FUZZ -w wordlist.txt -H "Authorization: Bearer TOKEN"
AI Endpoint Wordlist
Save the following as ai-directory.txt for use with ffuf, GoBuster, feroxbuster, etc.
# ── Core LLM API endpoints ──
chat
chat/completions
completions
embeddings
models
models/list
fine-tunes
fine_tuning/jobs
files
assistants
threads
runs
vector_stores
audio/transcriptions
audio/speech
images/generations
images/edits
moderations
batches
usage
auth
billing
users
responses
organizations
realtime
uploads
ocr
v1/chat
v1/chat/completions
v1/completions
v1/embeddings
v1/models
v1/models/list
v1/fine-tunes
v1/fine_tuning/jobs
v1/files
v1/assistants
v1/threads
v1/runs
v1/vector_stores
v1/audio/transcriptions
v1/audio/speech
v1/images/generations
v1/images/edits
v1/moderations
v1/batches
v1/usage
v1/auth
v1/billing
v1/users
v1/responses
v1/organizations
v1/realtime
v1/uploads
v1/ocr
api/chat
api/chat/completions
api/completions
api/generate
api/embeddings
api/models
api/models/list
api/fine-tunes
api/fine_tuning/jobs
api/files
api/assistants
api/threads
api/runs
api/vector_stores
api/audio/transcriptions
api/audio/speech
api/images/generations
api/images/edits
api/moderations
api/batches
api/usage
api/tags
api/show
api/copy
api/pull
api/push
api/blobs
api/version
api/ps
api/stream
api/health
api/healthz
api/ready
api/readiness
api/liveness
api/ping
api/status
api/info
api/metrics
api/config
api/auth
api/billing
api/users
api/responses
api/organizations
api/realtime
api/uploads
api/ocr
# ── OpenAI-compatible endpoints ──
openai/v1/chat/completions
openai/v1/completions
openai/v1/embeddings
openai/v1/models
openai/v1/audio/transcriptions
openai/chat
openai/completions
openai/embeddings
openai/models
# ── Google Gemini / Vertex AI ──
v1beta/models
v1beta/models/gemini-pro:generateContent
v1beta/models/gemini-pro:streamGenerateContent
v1beta/models/gemini-pro:countTokens
v1beta/models/gemini-pro:embedContent
v1beta/models/gemini-pro:batchEmbedContents
v1beta/cachedContents
v1beta/tunedModels
v1beta/files
v1beta/corpora
# ── Cohere ──
v1/generate
v1/embed
v2/chat
v2/embed
v1/rerank
v2/rerank
v1/classify
v1/summarize
v1/tokenize
v1/detokenize
v1/embed-jobs
v1/datasets
v1/connectors
v2/audio/transcriptions
# ── Mistral AI ──
v1/fim/completions
v1/agents/completions
# ── Anthropic / Claude ──
anthropic/v1/messages
v1/messages
v1/message_batches
v1/message_batches/results
v1/complete
# ── Ollama ──
ollama/api/generate
ollama/api/chat
ollama/api/embeddings
ollama/api/tags
ollama/api/show
ollama/api/pull
ollama/api/push
ollama/api/copy
ollama/api/delete
ollama/api/blobs
ollama/api/ps
ollama/api/version
# ── vLLM ──
vllm
vllm/v1/chat/completions
vllm/v1/completions
vllm/v1/embeddings
vllm/v1/models
vllm/v1/responses
vllm/health
vllm/metrics
vllm/version
# ── HuggingFace TGI ──
tgi
generate
generate_stream
v1/tokens/count
# ── NVIDIA Triton Inference Server ──
v2/health/live
v2/health/ready
v2/models
v2/models/stats
v2/repository/index
v2/repository/models/load
v2/repository/models/unload
v2/models/infer
v2/systemsharedmemory/status
v2/cudasharedmemory/status
# ── BentoML ──
bentoml
predict
livez
readyz
# ── Ray Serve ──
serve
serve/deployments
serve/applications
# ── MLflow ──
mlflow
mlflow/api/2.0/mlflow/runs/search
mlflow/api/2.0/mlflow/experiments/list
mlflow/api/2.0/mlflow/registered-models/list
mlflow/api/2.0/mlflow/model-versions/search
ajax-api/2.0/mlflow/runs/search
# ── LiteLLM ──
litellm
litellm/health
litellm/models
litellm/key/generate
litellm/key/info
litellm/key/delete
litellm/key/list
litellm/spend/logs
litellm/spend/tags
litellm/v1/chat/completions
litellm/v1/completions
litellm/v1/embeddings
litellm/v1/models
litellm/user/info
litellm/user/new
litellm/team/list
litellm/team/new
litellm/budget/list
litellm/global/spend
litellm/model/info
# ── LangGraph Platform ──
langgraph
assistants/search
threads/search
threads/state
runs/stream
runs/wait
runs/list
runs/cancel
crons
crons/search
store
store/items
store/namespaces
# ── LangChain / LangServe ──
langchain
langserve
invoke
batch
stream
stream_log
input_schema
output_schema
config_schema
playground
runs/feedback
feedback
feedback/tokens
public_trace_link
c/shared
# ── Agent / Agentic frameworks ──
agent
agents
agent/run
agent/invoke
agent/stream
agent/chat
agent/memory
agent/tools
agent/status
agent/history
agent/sessions
agent/session
agent/execute
agent/feedback
agents/run
agents/invoke
agents/list
agents/create
agents/delete
agents/status
agents/memory
tools
tools/list
tools/invoke
toolbox
toolbox/tools
# ── MCP (Model Context Protocol) ──
mcp
mcp/sse
mcp/messages
mcp/message
mcp/tools
mcp/tools/list
mcp/tools/call
mcp/resources
mcp/resources/list
mcp/resources/read
mcp/resources/templates/list
mcp/resources/subscribe
mcp/prompts
mcp/prompts/list
mcp/prompts/get
mcp/ping
mcp/list
mcp/invoke
mcp/manifest
mcp/initialize
mcp/logging/setLevel
mcp/completion/complete
mcp/roots/list
sse
messages
# ── A2A (Agent-to-Agent Protocol) ──
a2a
a2a/agent
a2a/agents
a2a/message
a2a/message/send
a2a/message/stream
a2a/task
a2a/task/status
a2a/tasks/get
a2a/tasks/send
a2a/tasks/sendSubscribe
a2a/tasks/cancel
a2a/tasks/pushNotification/set
a2a/tasks/pushNotification/get
a2a/tasks/resubscribe
run/agents/a2a
.well-known/agent.json
.well-known/agent-card.json
# ── RAG / Vector DB ──
rag
rag/query
rag/index
rag/ingest
rag/search
rag/documents
rag/upload
rag/delete
retrieval
retrieval/query
retrieval/upsert
embeddings/search
embeddings/upsert
embeddings/delete
vector
vector/search
vector/upsert
vector/delete
knowledge
knowledge/search
knowledge/upload
knowledge/base
knowledge-base
documents
documents/upload
documents/search
documents/list
documents/delete
chunks
chunks/search
chunks/list
index
index/build
index/list
index/delete
rerank
rerank/query
# ── Prompt management ──
prompt
prompts
prompt/list
prompt/get
prompt/create
prompt/update
prompt/delete
prompts/templates
prompts/versions
prompt/render
prompt/evaluate
system_prompt
system-prompt
instructions
instruction
# ── Memory / session ──
memory
memory/list
memory/get
memory/add
memory/delete
memory/clear
memory/search
session
sessions
session/create
session/list
session/delete
session/history
context
context/list
context/get
history
history/list
history/clear
conversation
conversations
conversation/list
conversation/get
conversation/delete
# ── Model serving / inference ──
infer
inference
inference/run
inference/status
inference/health
prediction
predictions
generate/text
generate/image
generate/audio
summarize
summarize/text
classify
classify/text
translate
translate/text
extract
extract/entities
extract/keywords
score
tokenize
detokenize
count_tokens
token/count
# ── Admin / management ──
admin
admin/login
admin/dashboard
admin/users
admin/keys
admin/usage
admin/logs
admin/settings
admin/models
admin/tokens
admin/billing
admin/config
dashboard
dashboard/usage
dashboard/metrics
dashboard/logs
management
management/keys
management/users
management/models
keys
keys/generate
keys/list
keys/revoke
keys/info
tokens
tokens/generate
tokens/list
tokens/revoke
token/usage
# ── Debug / dev endpoints ──
debug
debug/info
debug/logs
debug/trace
debug/vars
debug/pprof
debug/metrics
debug/config
debug/env
debug/models
debug/embeddings
dev
dev/info
dev/logs
dev/playground
playground/chat
playground/completions
playground/embeddings
test
test/chat
test/completions
test/connection
test/model
sandbox
sandbox/run
sandbox/execute
eval
eval/run
eval/results
evaluation
evaluation/run
evaluation/results
benchmark
benchmark/run
experiment
experiments
experiments/list
experiments/run
tracing
tracing/runs
tracing/spans
trace
trace/runs
observability
monitoring
monitoring/health
monitoring/metrics
# ── Config / health ──
health
health/check
healthcheck
healthz
ready
readiness
liveness
ping
status
status/check
metrics
metrics/prometheus
stats
stats/usage
version
version/info
info
config
config/list
config/get
settings
settings/list
settings/get
env
env/info
about
about/version
docs
redoc
openapi.json
swagger
swagger.json
.well-known/openid-configuration
.well-known/ai-plugin.json
.well-known/oauth-protected-resource
.well-known/oauth-authorization-server
# ── OpenWebUI / common OSS frontends ──
openwebui
open-webui
api/v1/auths/signin
api/v1/auths/signup
api/v1/auths/profile
api/v1/users
api/v1/users/list
api/v1/chats
api/v1/chats/list
api/v1/chats/all
api/v1/models
api/v1/models/list
api/v1/documents
api/v1/memories
api/v1/tools
api/v1/functions
api/v1/prompts
api/v1/knowledge
api/v1/pipelines
api/v1/evaluations
api/v1/feedback
api/v1/configs
api/v1/utils/pdf
socket.io
socket
ws
websocket
# ── Gradio / HuggingFace Spaces ──
gradio
run/predict
queue/join
queue/status
queue/data
queue
run
api
api/queue/status
api/queue/join
api/queue/data
api/predict
# ── Flowise / n8n / Dify / common AI platforms ──
flowise
api/v1/chatflows
api/v1/chatflows/apikey
api/v1/prediction
api/v1/openai-compatible/chat/completions
api/v1/vector/upsert
api/v1/node-icon
dify
api/chat-messages
api/completion-messages
api/workflows/run
api/messages
api/conversations
api/documents
api/datasets
api/embeddings
n8n
n8n/webhook
webhook
webhook/llm
workflow
workflows
workflows/execute
# ── Azure OpenAI / AWS Bedrock / Cloud AI gateways ──
openai/deployments
openai/deployments/chat/completions
openai/deployments/completions
openai/deployments/embeddings
bedrock/model/invoke
bedrock-runtime
ai-gateway
gateway/v1
gateway/openai
gateway/anthropic
gateway/workers-ai
compat/chat/completions
# ── Cloudflare Workers AI ──
workers-ai
ai/run
ai/models
ai/finetunes
ai/gateway
# ── DeepSeek ──
deepseek
deepseek/v1/chat/completions
deepseek/v1/models
# ── Groq ──
groq