Cloudflare Docs
API Shield
Edit this page on GitHub
Set theme to dark (⇧+D)

Endpoint Management

Monitor the health of your API endpoints by saving, updating, and monitoring performance metrics using API Shield’s Endpoint Management.

Add endpoints allows customers to save endpoints directly from API Discovery or manually by method, path, and host.

This will add the specified endpoints to your list of managed endpoints. You can view your list of saved endpoints in the Endpoint Management page.

Cloudflare will start collecting performance data on your endpoint when you save an endpoint.

​​ Access

  1. Log in to the Cloudflare dashboard and select your account and domain.
  2. Select Security > API Shield.
  3. Add your endpoints manually, from Schema Validation, or from API Discovery.

​​ Add endpoints from API Discovery

There are two ways to add API endpoints from Discovery.

​​ Add from the Endpoint Management Tab

  1. From Endpoint Management, select Add endpoints > Select from Discovery tab.
  2. Select the discovered endpoints you would like to add.
  3. Select Add endpoints.

​​ Add from the Discovery Tab

  1. From Endpoint Management, select the Discovery tab.
  2. Select the discovered endpoints you would like to add.
  3. Select Save selected endpoints.

​​ Add endpoints from Schema Validation

  1. Add a schema by configuring Schema Validation.
  2. On Review schema endpoints, save new endpoints to endpoint management by checking the box.
  3. Select Save as draft or Save and Deploy. Endpoints will be saved regardless of whether the Schema is saved as a draft or published.

API Shield will look for duplicate endpoints that have the same host, method, and path. Duplicate endpoints will not be saved to endpoint management.

​​ Add endpoints manually

  1. From Endpoint Management, select Add endpoints > Manually add.
  2. Choose the method from the dropdown menu and add the path and hostname for the endpoint.
  3. Select Add endpoints.

When adding an endpoint manually, you can specify variable fields in the path or host by enclosing them in braces, /api/user/{var1}/details or {var1}.example.com.

For more information on how Cloudflare uses variables in API Shield, refer to the examples from API Discovery.

​​ Endpoint schema learning

Cloudflare learns schema parameters via traffic inspection. For all endpoints saved to Endpoint Management, you can export OpenAPI schemas in v3.0.0 format by hostname. You can also include learned schema parameters.

To protect your API with a learned schema, refer to Schema Validation.

​​ Export a schema

  1. Log in to the Cloudflare dashboard and select your account and domain.
  2. Select Security > API Shield.
  3. Navigate to Endpoint Management.
  4. Select Export schema and choose a hostname to export.
  5. Select whether to include learned parameters and rate limit recommendations
  6. Select Export schema and choose a location to save the file.

​​ Learned schemas will always include:

  • The listed hostname in the servers section
  • All endpoints by host, method, and path
  • Detected path variables

​​ Learned schemas can optionally include:

  • Detected query parameters and its format
  • API Shield’s rate limit threshold recommendations

​​ Endpoint Performance Analysis

For each saved endpoint, customers can view:

  • Request count: The total number of requests to the endpoint over time.
  • Rate limiting recommendation: per 10 minutes. This is guided by the request count.
  • Latency: The average origin response time in milliseconds (ms). This metric shows how long it takes from the moment a visitor makes a request to the moment the visitor gets a response back from the origin.
  • Error rate vs. overall traffic: grouped by 4xx, 5xx, and their sum.
  • Response size: The average size of the response (in bytes) returned to the request.

​​ Using the Cloudflare API

You can interact with Endpoint Management through the Cloudflare API. Refer to Endpoint Management’s API documentation for more information.

​​ Sensitive Data Detection

Sensitive data comprises various personally identifiable information and financial data. Cloudflare created this ruleset to address common data loss threats, and the WAF can search for this data in HTTP response bodies from your origin.

API Shield will alert users to the presence of sensitive data in the response body of API endpoints listed in Endpoint Management if the zone is also subscribed to the Sensitive Data Detection managed ruleset.

Sensitive Data Detection is currently available in beta to Enterprise customers on our Advanced application security plan.

Once Sensitive Data Detection is enabled for your zone, API Shield queries firewall events from the WAF for the last seven days and places a notification icon on the Endpoint Management table row if there are any matched sensitive responses for your endpoint.

API Shield displays the types of sensitive data found if you expand the Endpoint Management table row to view further details. Select Explore Events to view the matched events in Security Events.

After Sensitive Data Detection is enabled for your zone, you can browse the Sensitive Data Detection ruleset. The link will not work if Sensitive Data Detection is not enabled.