Skip to main content

Manually add endpoints to the API base path

If your domain uses APIs hosted on the same domain and you don't have enabled API Discovery, you can manually add endpoints to the API base path. This will define a communication path for WAAP to expect API requests and protect your endpoints.

Info

This setting doesn't add API endpoints to the allowlist.

When you enter a path, note that:

  • Paths are recursively allowed. For example, api/ allows api/v1/*, api/v2/*, etc.
  • Regex/wildcard input is not accepted. Use api/ instead of api/*.
  • Don't enter the protocol or domain. Use api/ instead of https://example.foobar.com/api/. The domain is automatically added.
  • Paths are not case-sensitive. API/ and api/ are interchangeable.
  • To add multiple APIs, you must create separate entries.

Add endpoints to the base path

  1. In the CDB Technical Web Portal, navigate to WAAP > Domains.

Domains page in the Customer Portal

  1. Choose a domain from the list and click its name to open it. You'll be directed to the Overview page.
  2. In the sidebar, click Settings. On the page that opens, select the API Base Path tab.

API base path settings

  1. Either enable the Set as API Domain checkbox to treat the whole domain as an API or enter a specific API endpoint path into the Host input field.
  2. Click the Add button, and the endpoint will appear in the Endpoint table below.

Remove endpoints from the base path

  1. Find the relevant endpoint and click the three-dot icon next to it.
  2. Select Delete.
  3. Confirm your action by clicking Delete again.

After you configure the API base path, CAPTCHA and JavaScript validation will be disabled for added endpoints.

The DDoS protection, IP reputation, and rate limitation features will continue to protect those endpoints. Custom WAAP rules and firewall rules can also impact content delivery via API and potentially block users.

If a domain uses APIs hosted on the same domain and API Discovery is not enabled, manually configure the API base path via the Domains settings endpoints to tell WAAP which paths to treat as API traffic. WAAP then disables CAPTCHA and JavaScript validation for those paths while keeping DDoS, IP reputation, and rate limiting active. Response examples include only the fields used in each step.

Info

This setting doesn't add API paths to the allowlist.

When configuring API paths, note that:

  • Paths are recursively allowed. For example, api/ covers api/v1/*, api/v2/*, etc.
  • Regex/wildcard input is not accepted. Use api/ instead of api/*.
  • Don't include the protocol or domain. Use api/ instead of https://example.foobar.com/api/.
  • API paths are not case-sensitive. API/ and api/ are interchangeable.

Warning

The api_urls field replaces the entire list on every update. Sending {"api_urls": ["api/v3/"]} will erase all previously configured paths, leaving only api/v3/. Always retrieve the current list first and include all existing paths in the update.

Info

To make API calls, an API token is required. To get the domain ID, use List domains.

export GCORE_API_KEY=your_api_key
export DOMAIN_ID=your_domain_id

View current configuration

Returns the current API base path settings, including the is_api flag and the configured api_urls list.

import os
from gcore import CDB
from dotenv import load_dotenv

load_dotenv()
client = CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["DOMAIN_ID"])

settings = client.waap.domains.settings.get(domain_id)
print("is_api:", settings.api.is_api)
print("api_urls:", settings.api.api_urls)
package main

import (
    "context"
    "fmt"
    "os"
    "strconv"

    "github.com/G-Core/gcore-go"
    "github.com/G-Core/gcore-go/option"
)

func main() {
    client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
    domainID, _ := strconv.ParseInt(os.Getenv("DOMAIN_ID"), 10, 64)

    settings, err := client.Waap.Domains.Settings.Get(context.TODO(), domainID)
    if err != nil {
        panic(err.Error())
    }
    fmt.Println("is_api:", settings.API.IsAPI)
    fmt.Println("api_urls:", settings.API.APIURLs)
}
curl -X GET "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/${DOMAIN_ID}/settings" \
  -H "Authorization: APIKey ${GCORE_API_KEY}"

Configure API paths

Add or remove API paths by sending the complete updated list. Always read the current list first, then modify it and send the result. Both operations use the same PATCH /docs/waap/v1/domains/{id}/settings call. Returns HTTP 204 with no response body.

import os
from gcore import CDB
from dotenv import load_dotenv

load_dotenv()
client = CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["DOMAIN_ID"])

settings = client.waap.domains.settings.get(domain_id)
current = settings.api.api_urls or []

# Add a path
client.waap.domains.settings.update(
    domain_id,
    api={"api_urls": current + ["api/v3/"]},
)

# Remove a path
# client.waap.domains.settings.update(
#     domain_id,
#     api={"api_urls": [u for u in current if u != "api/v2/"]},
# )
package main

import (
    "context"
    "fmt"
    "os"
    "strconv"

    "github.com/G-Core/gcore-go"
    "github.com/G-Core/gcore-go/option"
    "github.com/G-Core/gcore-go/waap"
)

func main() {
    client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
    domainID, _ := strconv.ParseInt(os.Getenv("DOMAIN_ID"), 10, 64)

    settings, err := client.Waap.Domains.Settings.Get(context.TODO(), domainID)
    if err != nil {
        panic(err.Error())
    }

    // Add a path
    err = client.Waap.Domains.Settings.Update(context.TODO(), domainID, waap.DomainSettingUpdateParams{
        API: waap.DomainSettingUpdateParamsAPI{
            APIURLs: append(settings.API.APIURLs, "api/v3/"),
        },
    })
    if err != nil {
        panic(err.Error())
    }
    fmt.Println("Updated.")

    // Remove a path: filter the list and send the result
    // pathToRemove := "api/v2/"
    // var updated []string
    // for _, u := range settings.API.APIURLs {
    //     if u != pathToRemove {
    //         updated = append(updated, u)
    //     }
    // }
    // client.Waap.Domains.Settings.Update(ctx, domainID, waap.DomainSettingUpdateParams{
    //     API: waap.DomainSettingUpdateParamsAPI{APIURLs: updated},
    // })
}
# Retrieve current paths first, then send the full updated list.
# This example adds api/v3/ to an existing [api/v1/, api/v2/] list.
curl -X PATCH "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/${DOMAIN_ID}/settings" \
  -H "Authorization: APIKey ${GCORE_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"api": {"api_urls": ["api/v1/", "api/v2/", "api/v3/"]}}'

# To remove api/v2/, send the list without it:
# -d '{"api": {"api_urls": ["api/v1/", "api/v3/"]}}'

Set domain as API

When is_api is enabled, WAAP treats all domain traffic as API requests and disables browser challenges globally — individual api_urls entries are ignored but remain stored and take effect again when is_api is set back to false. Returns HTTP 204 with no response body.

import os
from gcore import CDB
from dotenv import load_dotenv

load_dotenv()
client = CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["DOMAIN_ID"])

client.waap.domains.settings.update(
    domain_id,
    api={"is_api": True},
)
package main

import (
    "context"
    "fmt"
    "os"
    "strconv"

    "github.com/G-Core/gcore-go"
    "github.com/G-Core/gcore-go/option"
    "github.com/G-Core/gcore-go/waap"
)

func main() {
    client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
    domainID, _ := strconv.ParseInt(os.Getenv("DOMAIN_ID"), 10, 64)

    err := client.Waap.Domains.Settings.Update(context.TODO(), domainID, waap.DomainSettingUpdateParams{
        API: waap.DomainSettingUpdateParamsAPI{
            IsAPI: gcore.Bool(true),
        },
    })
    if err != nil {
        panic(err.Error())
    }
    fmt.Println("Updated.")
}
curl -X PATCH "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/${DOMAIN_ID}/settings" \
  -H "Authorization: APIKey ${GCORE_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"api": {"is_api": true}}'