How do you secure something you don't even have an inventory of?
APIs are the backbone of every modern app and a primary attack surface — but most security teams can't list every endpoint their organization exposes. Shadow APIs (forgotten v1 routes, internal endpoints accidentally on the public network, partner integrations) are routinely exploited because no one was monitoring them. And when APIs *are* known, traditional WAFs struggle: they're built for HTML form input, not for structured JSON, OpenAPI schemas, sequenced calls, or token-based auth flows.
How it fits together
Diagram coming soon
Architecture diagram for this solution will be added here.
How Cloudflare solves it
- API Discovery. Cloudflare passively learns every endpoint your origin exposes by analyzing real traffic. Inventory appears in the dashboard within minutes — including the shadow APIs you forgot about.
- Schema validation. Upload your OpenAPI spec (or let Cloudflare generate one from observed traffic). Requests that don't match the schema — wrong types, extra fields, missing parameters — are blocked at the edge before reaching your origin.
- Sequence Analytics & Sequence Mitigation. Detect business-logic abuse by analyzing the order and frequency of API calls (e.g. 'login → checkout without view-cart' or 'GET /price 1000× without POST /order'). Block patterns that don't match legitimate user flows.
- JWT validation & session abuse detection. Validate JWT signatures, expiration, and claims at the edge. Detect token sharing (same JWT from 30 different IPs), token replay, and impossible travel.
- Volumetric and resource abuse controls. Per-endpoint rate limits with response-size-aware limits (your GraphQL endpoint shouldn't return 10MB to one client every second). Combine with WAF and bot rules for layered defense.
Common questions
Do I need to give Cloudflare my OpenAPI spec to get value?
Will this break my apps that send extra/unexpected fields?
How is this different from just running a WAF on my API?
POST /api/orders must contain a numeric quantity field and must be preceded by a session token from POST /api/login. Pattern-matching WAFs can't catch that.What about GraphQL?
Try it live
Demo coming soon
An interactive demo for API Security is being built. In the meantime, check the "Dive Deeper" section below for the official docs and product blogs.