Source from repo

Cloudflare Platform Skill

Comprehensive Cloudflare platform skill covering Workers, D1, R2, KV, AI, Durable Objects, and security.

cloudflareGitHub cloudflareSource repo Original GitHub link Publisher page

Files

321

Skill

n/a

Size

1.4 MB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/api-shield/api.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown142 linesFree

references/api-shield/api.md

1# API Reference
2 
3Base: `/zones/{zone_id}/api_gateway`
4 
5## Endpoints
6 
7```bash
8GET /operations                    # List
9GET /operations/{op_id}            # Get single
10POST /operations/item              # Create: {endpoint,host,method}
11POST /operations                   # Bulk: {operations:[{endpoint,host,method}]}
12DELETE /operations/{op_id}         # Delete
13DELETE /operations                 # Bulk delete: {operation_ids:[...]}
14```
15 
16## Discovery
17 
18```bash
19GET /discovery/operations                    # List discovered
20PATCH /discovery/operations/{op_id}          # Update: {state:"saved"|"ignored"}
21PATCH /discovery/operations                  # Bulk: {operation_ids:{id:{state}}}
22GET /discovery                               # OpenAPI export
23```
24 
25## Config
26 
27```bash
28GET /configuration        # Get session ID config
29PUT /configuration        # Update: {auth_id_characteristics:[{name,type:"header"|"cookie"}]}
30```
31 
32## Token Validation
33 
34```bash
35GET /token_validation                  # List
36POST /token_validation                 # Create: {name,location:{header:"..."},jwks:"..."}
37POST /jwt_validation_rules             # Rule: {name,hostname,token_validation_id,action:"block"}
38```
39 
40## Workers Integration
41 
42### Access JWT Claims
43```js
44export default {
45  async fetch(req, env) {
46    // Access validated JWT payload
47    const jwt = req.cf?.jwt?.payload?.[env.JWT_CONFIG_ID]?.[0];
48    if (jwt) {
49      const userId = jwt.sub;
50      const role = jwt.role;
51    }
52  }
53}
54```
55 
56### Access mTLS Info
57```js
58export default {
59  async fetch(req, env) {
60    const tls = req.cf?.tlsClientAuth;
61    if (tls?.certVerified === 'SUCCESS') {
62      const fingerprint = tls.certFingerprintSHA256;
63      // Authenticated client
64    }
65  }
66}
67```
68 
69### Dynamic JWKS Update
70```js
71export default {
72  async scheduled(event, env) {
73    const jwks = await (await fetch('https://auth.example.com/.well-known/jwks.json')).json();
74    await fetch(`https://api.cloudflare.com/client/v4/zones/${env.ZONE_ID}/api_gateway/token_validation/${env.CONFIG_ID}`, {
75      method: 'PATCH',
76      headers: {'Authorization': `Bearer ${env.CF_API_TOKEN}`, 'Content-Type': 'application/json'},
77      body: JSON.stringify({jwks: JSON.stringify(jwks)})
78    });
79  }
80}
81```
82 
83## Firewall Fields
84 
85### Core Fields
86```js
87cf.api_gateway.auth_id_present           // Session ID present
88cf.api_gateway.request_violates_schema   // Schema violation
89cf.api_gateway.fallthrough_triggered     // No endpoint match
90cf.tls_client_auth.cert_verified         // mTLS cert valid
91cf.tls_client_auth.cert_fingerprint_sha256
92```
93 
94### JWT Validation (2026)
95```js
96// Modern validation syntax
97is_jwt_valid(http.request.jwt.payload["{config_id}"][0])
98 
99// Legacy (still supported)
100cf.api_gateway.jwt_claims_valid
101 
102// Extract claims
103lookup_json_string(http.request.jwt.payload["{config_id}"][0], "claim_name")
104```
105 
106### Risk Labels (2026)
107```js
108// BOLA detection
109cf.api_gateway.cf-risk-bola-enumeration  // Sequential resource access detected
110cf.api_gateway.cf-risk-bola-pollution    // Parameter pollution detected
111 
112// Authentication posture
113cf.api_gateway.cf-risk-missing-auth      // Endpoint lacks authentication
114cf.api_gateway.cf-risk-mixed-auth        // Inconsistent auth patterns
115```
116 
117## BOLA Detection
118 
119```bash
120GET /user_schemas/{schema_id}/bola             # Get BOLA config
121PATCH /user_schemas/{schema_id}/bola           # Update: {enabled:true}
122```
123 
124## Auth Posture
125 
126```bash
127GET /discovery/authentication_posture          # List unprotected endpoints
128```
129 
130## GraphQL Protection
131 
132```bash
133GET /settings/graphql_protection               # Get limits
134PUT /settings/graphql_protection               # Set: {max_depth,max_size}
135```
136 
137## See Also
138 
139- [configuration.md](configuration.md) - Setup guides for all features
140- [patterns.md](patterns.md) - Firewall rules and common patterns
141- [API Gateway API Docs](https://developers.cloudflare.com/api/resources/api_gateway/)
142

Preparing the source view

Cloudflare Platform Skill

references/api-shield/api.md