Quick Start

Two steps: create config, run dino scan.

GraphQL (ad-hoc)
REST (OpenAPI, tenant)

Create a config file

Option A: Interactive setup

npx @dino-hq/cli init

Answer the prompts - endpoint, protocol, auth, format. Writes .dino.yml in your current directory.Option B: Manual (two lines)

.dino.yml

endpoint: https://your-api.com/graphql
protocol: graphql

That is the minimum for GraphQL without a tenant file.

Run the scan

npx @dino-hq/cli scan

Dino introspects your endpoint, discovers operations, and runs the shipped quality pipeline. GraphQL modules plus rest-fuzzer when REST operations are present.

Module	What it checks
Input Fuzzer	Null injection, type confusion, boundary violations
Response Validator	Schema-response conformance, extra fields, structural drift
RBAC Matrix	Auth bypass, permission escalation, missing auth
Rate Limit Validator	Missing rate limits, header inconsistencies
Error Code Validator	Stack trace leaks, inconsistent error formats
Deprecation Tracker	Deprecated field usage, migration progress
REST Fuzzer	When REST/OpenAPI operations exist: 19 strategies across body, path, query, method, content-type, schema, and headers

Output is a JSON catalogue with per-operation health scores, findings, and coverage data.

Add --format markdown for a human-readable report, or pipe to a file: dino scan > report.json

Create `tenants/my-api.yml`

schemaVersion: 1
id: my-api
name: My REST API
apis:
  - name: main
    type: rest
    source: openapi
    specPath: https://api.example.com/openapi.json
environments:
  default:
    endpoints:
      main: https://api.example.com
    timeout: 30000
defaultEnvironment: default
auth:
  adapter: none
  adapterConfig: {}
  roles: []
agents: []

Point `.dino.yml` at the tenant

.dino.yml

tenant: my-api
format: json

Run the scan

npx @dino-hq/cli scan --tenant my-api

Dino loads the OpenAPI document, discovers REST operations, and runs the same reporting pipeline as GraphQL — including rest-fuzzer (19 schema-aware fuzz strategies across six attack surfaces when REST operations are detected).

Use --env to pick a non-default environment from your tenant file.

What you get

Every operation in your API gets:

Health score (0-100): per-operation quality rating
Findings: grouped by pipeline module, with severity
Coverage status: which operations are tested, documented, or untested

Ad-hoc mode vs tenant mode

Mode	Config	Best for
Ad-hoc	`.dino.yml` with `endpoint` + `protocol: graphql`	Quick GraphQL runs, CI one-offs, trying Dino out
Tenant	`--tenant <id>` or `tenant:` in `.dino.yml` → `tenants/<id>.yml`	Multi-environment, auth, RBAC testing, REST/OpenAPI, scheduled scans

What’s next

dino scan

Full flag reference and pipeline details.

How agents work

How Dino’s quality modules exercise your API.

Configuration

Full .dino.yml and tenant reference, auth, RBAC, environments, REST.

Documentation Index

​What you get

​Ad-hoc mode vs tenant mode

​What’s next

dino scan

How agents work

Configuration

What you get

Ad-hoc mode vs tenant mode

What’s next