OpenAPI 3.0 (formerly know as swagger API) is a way to specifiy whar your API looks like, which endpoints are available and to what standards they need to comply. This can be very useful in several ways, for us hackers the most obvious way is that having documentation of an API is like a treasure map. Another useful way to utilise these is by importing the documentation into tools like postman or we can even directly interact with them with tools like curl.
If we navigate to https://editor.swagger.io/ we can play around a bit with how API documentation is built in the left pane and how to interact with it in the right pane.
As you can see in the right column, you can execute any call as described by the swagger documentation (which are simple to read and create files). Click around and see if you can make a POST or a PUT request.
We can also interact with the swagger documentation itself in the left column, play around a little bit and see if you can figure it out.
Before:
What it should be after the changes.
We are the ones describing the API endpoints and while this might be possible to do automatically it is still often done by hand. Some of these APIs stop being used and go into oblivion. These "ghost" apis can roam for months or even years.
Of course we might also be giving attacks an advantage as they might be able to log into our main website and use that cookie to log into the OpenAPI documentation.