This talk from OWASP Foundation explores a novel approach to API security assessment called "self-discovery." Learn how to enumerate permissions and resources associated with API keys without accessing provider UIs—critical knowledge for security analysts prioritizing credential rotation. Over 43 minutes, security experts Joseph Leon and Dylan Ayrey demonstrate meticulous techniques for assessing SaaS provider permissions and scopes, including string analysis and HTTP request brute forcing. The presentation culminates with a demonstration of a new open-source tool that automates the discovery process, helping security teams better understand the potential impact of exposed credentials.