AppCheck SPA Scanner is a dynamic application security testing tool designed to identify vulnerabilities in Single Page Applications. The scanner uses headless browser technology to execute and intercept client-side scripting interactions and API responses. The tool employs an event-based crawler that identifies event handlers on pages and builds event graphs to navigate modern applications. It uses real browsers rather than virtual DOM models, enabling communication through websockets and web assembly. The scanner supports scripted workflows to access complex areas of applications including multi-step forms and intricate user interactions. The scanner is framework-agnostic and works with Angular, Vue.js, React, and other JavaScript frameworks. It includes dual crawling capabilities where the browser crawler interacts with the frontend while API seeding captures backend interactions. The tool supports scripted authentication including third-party authentication flows and time-based one-time password mechanisms like Google Authenticator. The scanner performs payload-based assessments to detect both known vulnerabilities in frameworks and unknown vulnerabilities in custom code. It identifies authorization flaws, permission issues, and Insecure Direct Object References (IDOR). The tool supports multi-domain scanning to cover both backend APIs and frontend SPAs in a single scan. Coverage includes OWASP vulnerabilities such as injection, XSS, and RCE, along with over 100,000 known security flaws (CVEs). The scanner can be used throughout the application lifecycle from development to production.