Cloudflare Docs
API Shield
Visit API Shield on GitHub
Set theme to dark (⇧+D)

API Discovery

Most development teams struggle to keep track of their APIs. Cloudflare API Discovery helps you map out and understand your attack surface area.

​​ Process

Cloudflare produces a simple, trustworthy map of API endpoints through a process of path normalization.

For example, you might have thousands of APIs, but a lot of the calls look similar, such as:

  • api.example.com/login/238
  • api.example.com/login/392

Both paths serve a similar purpose — allowing users to log in to their accounts — but they are not identical. To simplify your endpoints, these examples might both map to api.example.com/login/*.

API Discovery runs this process across all your authenticated endpoints, eventually generating a simple map of endpoints that might look like:

  • login/{customer_identifier}
  • auth
  • account/{customer_identifier}
  • password_reset
  • logout

This process currently requires a session identifier, like an authorization token available as a request header. Once you have finished API Discovery, your APIs are ready for protection from volumetric and sequential attacks.

For more technical details, see our blog post.

​​ API requests

To better understand your API traffic, you can also see API requests in your application dashboard.

This view adds a lightweight filter to application requests so you can better identify API traffic. If you want a more sophisticated understanding of API traffic, check out Bot Tags.

​​ Availability

API Discovery is only available for Enterprise customers. If you are an Enterprise customer and interested in this product, contact your account team.