API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

API Gateway

API GatewayConfigurations

Retrieve information about specific configuration properties

GET/zones/{zone_id}/api_gateway/configuration

Update configuration properties

PUT/zones/{zone_id}/api_gateway/configuration

ModelsExpand Collapse

Configuration object { auth_id_characteristics }

auth_id_characteristics: array of object { name, type } or object { name, type }

One of the following:

APIShieldAuthIDCharacteristic object { name, type }

Auth ID Characteristic

name: string

The name of the characteristic field, i.e., the header or cookie name.

maxLength128

type: "header" or "cookie"

The type of characteristic.

One of the following:

"header"

"cookie"

APIShieldAuthIDCharacteristicJWTClaim object { name, type }

Auth ID Characteristic extracted from JWT Token Claims

name: string

Claim location expressed as $(token_config_id):$(json_path), where token_config_id is the ID of the token configuration used in validating the JWT, and json_path is a RFC 9535 JSONPath (https://goessner.net/articles/JsonPath/, https://www.rfc-editor.org/rfc/rfc9535.html). The JSONPath expression may be in dot or bracket notation, may only specify literal keys or array indexes, and must return a singleton value, which will be interpreted as a string.

maxLength128

type: "jwt"

The type of characteristic.

API GatewayDiscovery

Retrieve discovered operations on a zone rendered as OpenAPI schemas

GET/zones/{zone_id}/api_gateway/discovery

ModelsExpand Collapse

DiscoveryOperation object { id, endpoint, host, 5 more }

id: string

UUID.

maxLength36

minLength36

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

origin: array of "ML" or "SessionIdentifier" or "LabelDiscovery"

API discovery engine(s) that discovered this operation

One of the following:

"ML"

"SessionIdentifier"

"LabelDiscovery"

state: "review" or "saved" or "ignored"

State of operation in API Discovery

• review - Operation is not saved into API Shield Endpoint Management
• saved - Operation is saved into API Shield Endpoint Management
• ignored - Operation is marked as ignored

One of the following:

"review"

"saved"

"ignored"

features: optional object { traffic_stats }

traffic_stats: optional object { last_updated, period_seconds, requests }

last_updated: string

formatdate-time

period_seconds: number

The period in seconds these statistics were computed over

requests: number

The average number of requests seen during this period

formatfloat

DiscoveryGetResponse object { schemas, timestamp }

schemas: array of unknown

timestamp: string

formatdate-time

API GatewayDiscoveryOperations

Retrieve discovered operations on a zone

GET/zones/{zone_id}/api_gateway/discovery/operations

Patch discovered operation

PATCH/zones/{zone_id}/api_gateway/discovery/operations/{operation_id}

Patch discovered operations

PATCH/zones/{zone_id}/api_gateway/discovery/operations

ModelsExpand Collapse

OperationEditResponse object { state }

state: optional "review" or "saved" or "ignored"

State of operation in API Discovery

• review - Operation is not saved into API Shield Endpoint Management
• saved - Operation is saved into API Shield Endpoint Management
• ignored - Operation is marked as ignored

One of the following:

"review"

"saved"

"ignored"

OperationBulkEditResponse = map[object { state } ]

state: optional "review" or "ignored"

Mark state of operation in API Discovery

• review - Mark operation as for review
• ignored - Mark operation as ignored

One of the following:

"review"

"ignored"

API GatewayLabels

Retrieve all labels

GET/zones/{zone_id}/api_gateway/labels

ModelsExpand Collapse

LabelListResponse object { created_at, description, last_updated, 4 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

mapped_resources: optional unknown

Provides counts of what resources are linked to this label

API GatewayLabelsUser

Create user labels

POST/zones/{zone_id}/api_gateway/labels/user

Delete user labels

DELETE/zones/{zone_id}/api_gateway/labels/user

Retrieve user label

GET/zones/{zone_id}/api_gateway/labels/user/{name}

Update user label

PUT/zones/{zone_id}/api_gateway/labels/user/{name}

Patch user label

PATCH/zones/{zone_id}/api_gateway/labels/user/{name}

Delete user label

DELETE/zones/{zone_id}/api_gateway/labels/user/{name}

ModelsExpand Collapse

UserBulkCreateResponse object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

UserBulkDeleteResponse object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

UserGetResponse object { created_at, description, last_updated, 4 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

mapped_resources: optional unknown

Provides counts of what resources are linked to this label

UserUpdateResponse object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

UserEditResponse object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

UserDeleteResponse object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

API GatewayLabelsUserResources

API GatewayLabelsUserResourcesOperation

Replace operation(s) attached to a user label

PUT/zones/{zone_id}/api_gateway/labels/user/{name}/resources/operation

ModelsExpand Collapse

OperationUpdateResponse object { created_at, description, last_updated, 4 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

mapped_resources: optional unknown

Provides counts of what resources are linked to this label

API GatewayLabelsManaged

Retrieve managed label

GET/zones/{zone_id}/api_gateway/labels/managed/{name}

ModelsExpand Collapse

ManagedGetResponse object { created_at, description, last_updated, 4 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

mapped_resources: optional unknown

Provides counts of what resources are linked to this label

API GatewayLabelsManagedResources

API GatewayLabelsManagedResourcesOperation

Replace operation(s) attached to a managed label

PUT/zones/{zone_id}/api_gateway/labels/managed/{name}/resources/operation

ModelsExpand Collapse

OperationUpdateResponse object { created_at, description, last_updated, 4 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

mapped_resources: optional unknown

Provides counts of what resources are linked to this label

API GatewayOperations

Retrieve information about all operations on a zone

GET/zones/{zone_id}/api_gateway/operations

Retrieve information about an operation

GET/zones/{zone_id}/api_gateway/operations/{operation_id}

Add one operation to a zone

POST/zones/{zone_id}/api_gateway/operations/item

Delete an operation

DELETE/zones/{zone_id}/api_gateway/operations/{operation_id}

Add operations to a zone

POST/zones/{zone_id}/api_gateway/operations

Delete multiple operations

DELETE/zones/{zone_id}/api_gateway/operations

ModelsExpand Collapse

APIShield object { endpoint, host, last_updated, 2 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

OperationListResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

features: optional object { thresholds } or object { parameter_schemas } or object { api_routing } or 2 more

One of the following:

APIShieldOperationFeatureThresholds object { thresholds }

thresholds: optional object { auth_id_tokens, data_points, last_updated, 6 more }

auth_id_tokens: optional number

The total number of auth-ids seen across this calculation.

data_points: optional number

The number of data points used for the threshold suggestion calculation.

last_updated: optional string

formatdate-time

p50: optional number

The p50 quantile of requests (in period_seconds).

p90: optional number

The p90 quantile of requests (in period_seconds).

p99: optional number

The p99 quantile of requests (in period_seconds).

period_seconds: optional number

The period over which this threshold is suggested.

requests: optional number

The estimated number of requests covered by these calculations.

suggested_threshold: optional number

The suggested threshold in requests done by the same auth_id or period_seconds.

APIShieldOperationFeatureParameterSchemas object { parameter_schemas }

parameter_schemas: object { last_updated, parameter_schemas }

last_updated: optional string

formatdate-time

parameter_schemas: optional object { parameters, responses }

An operation schema object containing a response.

parameters: optional array of unknown

An array containing the learned parameter schemas.

responses: optional unknown

An empty response object. This field is required to yield a valid operation schema.

APIShieldOperationFeatureAPIRouting object { api_routing }

api_routing: optional object { last_updated, route }

API Routing settings on endpoint.

last_updated: optional string

formatdate-time

route: optional string

Target route.

APIShieldOperationFeatureConfidenceIntervals object { confidence_intervals }

confidence_intervals: optional object { last_updated, suggested_threshold }

last_updated: optional string

formatdate-time

suggested_threshold: optional object { confidence_intervals, mean }

confidence_intervals: optional object { p90, p95, p99 }

p90: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p95: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p99: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

mean: optional number

Suggested threshold.

APIShieldOperationFeatureSchemaInfo object { schema_info }

schema_info: optional object { active_schema, learned_available, mitigation_action }

active_schema: optional object { id, created_at, is_learned, name }

Schema active on endpoint.

id: optional string

UUID.

maxLength36

minLength36

created_at: optional string

formatdate-time

is_learned: optional boolean

True if schema is Cloudflare-provided.

name: optional string

Schema file name.

learned_available: optional boolean

True if a Cloudflare-provided learned schema is available for this endpoint.

mitigation_action: optional "none" or "log" or "block"

Action taken on requests failing validation.

One of the following:

"none"

"log"

"block"

OperationGetResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

features: optional object { thresholds } or object { parameter_schemas } or object { api_routing } or 2 more

One of the following:

APIShieldOperationFeatureThresholds object { thresholds }

thresholds: optional object { auth_id_tokens, data_points, last_updated, 6 more }

auth_id_tokens: optional number

The total number of auth-ids seen across this calculation.

data_points: optional number

The number of data points used for the threshold suggestion calculation.

last_updated: optional string

formatdate-time

p50: optional number

The p50 quantile of requests (in period_seconds).

p90: optional number

The p90 quantile of requests (in period_seconds).

p99: optional number

The p99 quantile of requests (in period_seconds).

period_seconds: optional number

The period over which this threshold is suggested.

requests: optional number

The estimated number of requests covered by these calculations.

suggested_threshold: optional number

The suggested threshold in requests done by the same auth_id or period_seconds.

APIShieldOperationFeatureParameterSchemas object { parameter_schemas }

parameter_schemas: object { last_updated, parameter_schemas }

last_updated: optional string

formatdate-time

parameter_schemas: optional object { parameters, responses }

An operation schema object containing a response.

parameters: optional array of unknown

An array containing the learned parameter schemas.

responses: optional unknown

An empty response object. This field is required to yield a valid operation schema.

APIShieldOperationFeatureAPIRouting object { api_routing }

api_routing: optional object { last_updated, route }

API Routing settings on endpoint.

last_updated: optional string

formatdate-time

route: optional string

Target route.

APIShieldOperationFeatureConfidenceIntervals object { confidence_intervals }

confidence_intervals: optional object { last_updated, suggested_threshold }

last_updated: optional string

formatdate-time

suggested_threshold: optional object { confidence_intervals, mean }

confidence_intervals: optional object { p90, p95, p99 }

p90: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p95: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p99: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

mean: optional number

Suggested threshold.

APIShieldOperationFeatureSchemaInfo object { schema_info }

schema_info: optional object { active_schema, learned_available, mitigation_action }

active_schema: optional object { id, created_at, is_learned, name }

Schema active on endpoint.

id: optional string

UUID.

maxLength36

minLength36

created_at: optional string

formatdate-time

is_learned: optional boolean

True if schema is Cloudflare-provided.

name: optional string

Schema file name.

learned_available: optional boolean

True if a Cloudflare-provided learned schema is available for this endpoint.

mitigation_action: optional "none" or "log" or "block"

Action taken on requests failing validation.

One of the following:

"none"

"log"

"block"

OperationCreateResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

features: optional object { thresholds } or object { parameter_schemas } or object { api_routing } or 2 more

One of the following:

APIShieldOperationFeatureThresholds object { thresholds }

thresholds: optional object { auth_id_tokens, data_points, last_updated, 6 more }

auth_id_tokens: optional number

The total number of auth-ids seen across this calculation.

data_points: optional number

The number of data points used for the threshold suggestion calculation.

last_updated: optional string

formatdate-time

p50: optional number

The p50 quantile of requests (in period_seconds).

p90: optional number

The p90 quantile of requests (in period_seconds).

p99: optional number

The p99 quantile of requests (in period_seconds).

period_seconds: optional number

The period over which this threshold is suggested.

requests: optional number

The estimated number of requests covered by these calculations.

suggested_threshold: optional number

The suggested threshold in requests done by the same auth_id or period_seconds.

APIShieldOperationFeatureParameterSchemas object { parameter_schemas }

parameter_schemas: object { last_updated, parameter_schemas }

last_updated: optional string

formatdate-time

parameter_schemas: optional object { parameters, responses }

An operation schema object containing a response.

parameters: optional array of unknown

An array containing the learned parameter schemas.

responses: optional unknown

An empty response object. This field is required to yield a valid operation schema.

APIShieldOperationFeatureAPIRouting object { api_routing }

api_routing: optional object { last_updated, route }

API Routing settings on endpoint.

last_updated: optional string

formatdate-time

route: optional string

Target route.

APIShieldOperationFeatureConfidenceIntervals object { confidence_intervals }

confidence_intervals: optional object { last_updated, suggested_threshold }

last_updated: optional string

formatdate-time

suggested_threshold: optional object { confidence_intervals, mean }

confidence_intervals: optional object { p90, p95, p99 }

p90: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p95: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p99: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

mean: optional number

Suggested threshold.

APIShieldOperationFeatureSchemaInfo object { schema_info }

schema_info: optional object { active_schema, learned_available, mitigation_action }

active_schema: optional object { id, created_at, is_learned, name }

Schema active on endpoint.

id: optional string

UUID.

maxLength36

minLength36

created_at: optional string

formatdate-time

is_learned: optional boolean

True if schema is Cloudflare-provided.

name: optional string

Schema file name.

learned_available: optional boolean

True if a Cloudflare-provided learned schema is available for this endpoint.

mitigation_action: optional "none" or "log" or "block"

Action taken on requests failing validation.

One of the following:

"none"

"log"

"block"

OperationDeleteResponse object { errors, messages, success }

errors: Message { code, message, documentation_url, source }

messages: Message { code, message, documentation_url, source }

success: true

Whether the API call was successful.

OperationBulkCreateResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

features: optional object { thresholds } or object { parameter_schemas } or object { api_routing } or 2 more

One of the following:

APIShieldOperationFeatureThresholds object { thresholds }

thresholds: optional object { auth_id_tokens, data_points, last_updated, 6 more }

auth_id_tokens: optional number

The total number of auth-ids seen across this calculation.

data_points: optional number

The number of data points used for the threshold suggestion calculation.

last_updated: optional string

formatdate-time

p50: optional number

The p50 quantile of requests (in period_seconds).

p90: optional number

The p90 quantile of requests (in period_seconds).

p99: optional number

The p99 quantile of requests (in period_seconds).

period_seconds: optional number

The period over which this threshold is suggested.

requests: optional number

The estimated number of requests covered by these calculations.

suggested_threshold: optional number

The suggested threshold in requests done by the same auth_id or period_seconds.

APIShieldOperationFeatureParameterSchemas object { parameter_schemas }

parameter_schemas: object { last_updated, parameter_schemas }

last_updated: optional string

formatdate-time

parameter_schemas: optional object { parameters, responses }

An operation schema object containing a response.

parameters: optional array of unknown

An array containing the learned parameter schemas.

responses: optional unknown

An empty response object. This field is required to yield a valid operation schema.

APIShieldOperationFeatureAPIRouting object { api_routing }

api_routing: optional object { last_updated, route }

API Routing settings on endpoint.

last_updated: optional string

formatdate-time

route: optional string

Target route.

APIShieldOperationFeatureConfidenceIntervals object { confidence_intervals }

confidence_intervals: optional object { last_updated, suggested_threshold }

last_updated: optional string

formatdate-time

suggested_threshold: optional object { confidence_intervals, mean }

confidence_intervals: optional object { p90, p95, p99 }

p90: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p95: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p99: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

mean: optional number

Suggested threshold.

APIShieldOperationFeatureSchemaInfo object { schema_info }

schema_info: optional object { active_schema, learned_available, mitigation_action }

active_schema: optional object { id, created_at, is_learned, name }

Schema active on endpoint.

id: optional string

UUID.

maxLength36

minLength36

created_at: optional string

formatdate-time

is_learned: optional boolean

True if schema is Cloudflare-provided.

name: optional string

Schema file name.

learned_available: optional boolean

True if a Cloudflare-provided learned schema is available for this endpoint.

mitigation_action: optional "none" or "log" or "block"

Action taken on requests failing validation.

One of the following:

"none"

"log"

"block"

OperationBulkDeleteResponse object { errors, messages, success }

errors: Message { code, message, documentation_url, source }

messages: Message { code, message, documentation_url, source }

success: true

Whether the API call was successful.

API GatewayOperationsLabels

Replace label(s) on an operation in endpoint management

PUT/zones/{zone_id}/api_gateway/operations/{operation_id}/labels

Attach label(s) on an operation in endpoint management

POST/zones/{zone_id}/api_gateway/operations/{operation_id}/labels

Remove label(s) on an operation in endpoint management

DELETE/zones/{zone_id}/api_gateway/operations/{operation_id}/labels

Bulk replace label(s) on operation(s) in endpoint management

PUT/zones/{zone_id}/api_gateway/operations/labels

Bulk attach label(s) on operation(s) in endpoint management

POST/zones/{zone_id}/api_gateway/operations/labels

Bulk remove label(s) on operation(s) in endpoint management

DELETE/zones/{zone_id}/api_gateway/operations/labels

ModelsExpand Collapse

LabelUpdateResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

labels: optional array of object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

LabelCreateResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

labels: optional array of object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

LabelDeleteResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

labels: optional array of object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

LabelBulkUpdateResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

labels: optional array of object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

LabelBulkCreateResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

labels: optional array of object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

LabelBulkDeleteResponse object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

labels: optional array of object { created_at, description, last_updated, 3 more }

created_at: string

formatdate-time

description: string

The description of the label

last_updated: string

formatdate-time

metadata: unknown

Metadata for the label

name: string

The name of the label

source: "user" or "managed"

• user - label is owned by the user
• managed - label is owned by cloudflare

One of the following:

"user"

"managed"

API GatewayOperationsSchema Validation

Retrieve operation-level schema validation settings

Deprecated

GET/zones/{zone_id}/api_gateway/operations/{operation_id}/schema_validation

Update operation-level schema validation settings

Deprecated

PUT/zones/{zone_id}/api_gateway/operations/{operation_id}/schema_validation

Update multiple operation-level schema validation settings

Deprecated

PATCH/zones/{zone_id}/api_gateway/operations/schema_validation

ModelsExpand Collapse

SettingsMultipleRequest = map[object { mitigation_action } ]

mitigation_action: optional "log" or "block" or "none"

When set, this applies a mitigation action to this operation

• log log request when request does not conform to schema for this operation
• block deny access to the site when request does not conform to schema for this operation
• none will skip mitigation for this operation
• null indicates that no operation level mitigation is in place, see Zone Level Schema Validation Settings for mitigation action that will be applied

One of the following:

"log"

"block"

"none"

SchemaValidationGetResponse object { mitigation_action, operation_id }

mitigation_action: optional "log" or "block" or "none"

When set, this applies a mitigation action to this operation

• log log request when request does not conform to schema for this operation
• block deny access to the site when request does not conform to schema for this operation
• none will skip mitigation for this operation
• null indicates that no operation level mitigation is in place, see Zone Level Schema Validation Settings for mitigation action that will be applied

One of the following:

"log"

"block"

"none"

operation_id: optional string

UUID.

maxLength36

minLength36

SchemaValidationUpdateResponse object { mitigation_action, operation_id }

mitigation_action: optional "log" or "block" or "none"

When set, this applies a mitigation action to this operation

• log log request when request does not conform to schema for this operation
• block deny access to the site when request does not conform to schema for this operation
• none will skip mitigation for this operation
• null indicates that no operation level mitigation is in place, see Zone Level Schema Validation Settings for mitigation action that will be applied

One of the following:

"log"

"block"

"none"

operation_id: optional string

UUID.

maxLength36

minLength36

API GatewaySchemas

Retrieve operations and features as OpenAPI schemas

GET/zones/{zone_id}/api_gateway/schemas

ModelsExpand Collapse

SchemaListResponse object { schemas, timestamp }

schemas: optional array of unknown

timestamp: optional string

API GatewaySettings

ModelsExpand Collapse

Settings object { validation_default_mitigation_action, validation_override_mitigation_action }

validation_default_mitigation_action: optional "none" or "log" or "block"

The default mitigation action used when there is no mitigation action defined on the operation

Mitigation actions are as follows:

• log - log request when request does not conform to schema
• block - deny access to the site when request does not conform to schema

A special value of of none will skip running schema validation entirely for the request when there is no mitigation action defined on the operation

One of the following:

"none"

"log"

"block"

validation_override_mitigation_action: optional "none"

When set, this overrides both zone level and operation level mitigation actions.

• none will skip running schema validation entirely for the request
• null indicates that no override is in place

API GatewaySettingsSchema Validation

Retrieve zone level schema validation settings

Deprecated

GET/zones/{zone_id}/api_gateway/settings/schema_validation

Update zone level schema validation settings

Deprecated

PUT/zones/{zone_id}/api_gateway/settings/schema_validation

Update zone level schema validation settings

Deprecated

PATCH/zones/{zone_id}/api_gateway/settings/schema_validation

API GatewayUser Schemas

Retrieve information about all schemas on a zone

Deprecated

GET/zones/{zone_id}/api_gateway/user_schemas

Retrieve information about a specific schema on a zone

Deprecated

GET/zones/{zone_id}/api_gateway/user_schemas/{schema_id}

Upload a schema to a zone

Deprecated

POST/zones/{zone_id}/api_gateway/user_schemas

Enable validation for a schema

Deprecated

PATCH/zones/{zone_id}/api_gateway/user_schemas/{schema_id}

Delete a schema

Deprecated

DELETE/zones/{zone_id}/api_gateway/user_schemas/{schema_id}

ModelsExpand Collapse

Message = array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

OldPublicSchema object { created_at, kind, name, 3 more }

created_at: string

formatdate-time

kind: "openapi_v3"

Kind of schema

name: string

Name of the schema

schema_id: string

UUID.

maxLength36

minLength36

source: optional string

Source of the schema

validation_enabled: optional boolean

Flag whether schema is enabled for validation.

UserSchemaCreateResponse object { schema, upload_details }

schema: OldPublicSchema { created_at, kind, name, 3 more }

upload_details: optional object { warnings }

warnings: optional array of object { code, locations, message }

Diagnostic warning events that occurred during processing. These events are non-critical errors found within the schema.

code: number

Code that identifies the event that occurred.

locations: optional array of string

JSONPath location(s) in the schema where these events were encountered. See https://goessner.net/articles/JsonPath/ for JSONPath specification.

message: optional string

Diagnostic message that describes the event.

UserSchemaDeleteResponse object { errors, messages, success }

errors: Message { code, message, documentation_url, source }

messages: Message { code, message, documentation_url, source }

success: true

Whether the API call was successful.

API GatewayUser SchemasOperations

Retrieve all operations from a schema.

Deprecated

GET/zones/{zone_id}/api_gateway/user_schemas/{schema_id}/operations

ModelsExpand Collapse

OperationListResponse = object { endpoint, host, last_updated, 3 more } or object { endpoint, host, method }

One of the following:

APIShieldOperation object { endpoint, host, last_updated, 3 more }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

last_updated: string

formatdate-time

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

operation_id: string

UUID.

maxLength36

minLength36

features: optional object { thresholds } or object { parameter_schemas } or object { api_routing } or 2 more

One of the following:

APIShieldOperationFeatureThresholds object { thresholds }

thresholds: optional object { auth_id_tokens, data_points, last_updated, 6 more }

auth_id_tokens: optional number

The total number of auth-ids seen across this calculation.

data_points: optional number

The number of data points used for the threshold suggestion calculation.

last_updated: optional string

formatdate-time

p50: optional number

The p50 quantile of requests (in period_seconds).

p90: optional number

The p90 quantile of requests (in period_seconds).

p99: optional number

The p99 quantile of requests (in period_seconds).

period_seconds: optional number

The period over which this threshold is suggested.

requests: optional number

The estimated number of requests covered by these calculations.

suggested_threshold: optional number

The suggested threshold in requests done by the same auth_id or period_seconds.

APIShieldOperationFeatureParameterSchemas object { parameter_schemas }

parameter_schemas: object { last_updated, parameter_schemas }

last_updated: optional string

formatdate-time

parameter_schemas: optional object { parameters, responses }

An operation schema object containing a response.

parameters: optional array of unknown

An array containing the learned parameter schemas.

responses: optional unknown

An empty response object. This field is required to yield a valid operation schema.

APIShieldOperationFeatureAPIRouting object { api_routing }

api_routing: optional object { last_updated, route }

API Routing settings on endpoint.

last_updated: optional string

formatdate-time

route: optional string

Target route.

APIShieldOperationFeatureConfidenceIntervals object { confidence_intervals }

confidence_intervals: optional object { last_updated, suggested_threshold }

last_updated: optional string

formatdate-time

suggested_threshold: optional object { confidence_intervals, mean }

confidence_intervals: optional object { p90, p95, p99 }

p90: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p95: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

p99: optional object { lower, upper }

Upper and lower bound for percentile estimate

lower: optional number

Lower bound for percentile estimate

upper: optional number

Upper bound for percentile estimate

mean: optional number

Suggested threshold.

APIShieldOperationFeatureSchemaInfo object { schema_info }

schema_info: optional object { active_schema, learned_available, mitigation_action }

active_schema: optional object { id, created_at, is_learned, name }

Schema active on endpoint.

id: optional string

UUID.

maxLength36

minLength36

created_at: optional string

formatdate-time

is_learned: optional boolean

True if schema is Cloudflare-provided.

name: optional string

Schema file name.

learned_available: optional boolean

True if a Cloudflare-provided learned schema is available for this endpoint.

mitigation_action: optional "none" or "log" or "block"

Action taken on requests failing validation.

One of the following:

"none"

"log"

"block"

APIShieldBasicOperation object { endpoint, host, method }

endpoint: string

The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with {varN}, starting with {var1}, during insertion. This will further be Cloudflare-normalized upon insertion. See: https://developers.cloudflare.com/rules/normalization/how-it-works/.

formaturi-template

maxLength4096

host: string

RFC3986-compliant host.

formathostname

maxLength255

method: "GET" or "POST" or "HEAD" or 6 more

The HTTP method used to access the endpoint.

One of the following:

"GET"

"POST"

"HEAD"

"OPTIONS"

"PUT"

"DELETE"

"CONNECT"

"PATCH"

"TRACE"

API GatewayUser SchemasHosts

Retrieve schema hosts in a zone

Deprecated

GET/zones/{zone_id}/api_gateway/user_schemas/hosts

ModelsExpand Collapse

HostListResponse object { created_at, hosts, name, schema_id }

created_at: string

formatdate-time

hosts: array of string

Hosts serving the schema, e.g zone.host.com

name: string

Name of the schema

schema_id: string

UUID.

maxLength36

minLength36

API GatewayExpression Template

API GatewayExpression TemplateFallthrough

Generate fallthrough WAF expression template from a set of API hosts

POST/zones/{zone_id}/api_gateway/expression-template/fallthrough

ModelsExpand Collapse

FallthroughCreateResponse object { expression, title }

expression: string

WAF Expression for fallthrough

title: string

Title for the expression