cloudflare · patriciasantaana · Apr 15, 2025 · Apr 15, 2025 · Apr 15, 2025 · Apr 15, 2025
@@ -3,7 +3,7 @@ title: Audit logs (version 2) - Beta Release
 description: New version of audit logs
 date: 2025-03-27T11:00:00Z
 ---
-The latest version of audit logs streamlines audit logging by automatically capturing all user and system actions performed through the Cloudflare Dashboard or public APIs. This update leverages Cloudflare’s existing API Gateway to generate audit logs based on OpenAPI schemas, ensuring a more consistent and automated logging process.
+The latest version of audit logs streamlines audit logging by automatically capturing all user and system actions performed through the Cloudflare Dashboard or public APIs. This update leverages Cloudflare’s existing API Shield to generate audit logs based on OpenAPI schemas, ensuring a more consistent and automated logging process.
 
 Availability: Audit logs (version 2) is now in Beta, with support limited to **API access**.
 

@@ -32,8 +32,8 @@ Refer to the [Get started](/api-shield/get-started/) guide to set up API Shield.
 Secure your APIs using API Shield's security features. 
 </Feature>
 
-<Feature header="Management, monitoring, and more" href="/api-shield/api-gateway/">
-A package of features that will do everything for your APIs. 
+<Feature header="Management, monitoring, and more" href="/api-shield/management-and-monitoring/">
+Monitor the health of your API endpoints.
 </Feature>
 
 ## Availability

@@ -7,9 +7,9 @@ sidebar:
 
 ---
 
-Free, Pro, Business, and Enterprise customers without an API Gateway subscription can access [Endpoint Management](/api-shield/management-and-monitoring/) and [Schema validation](/api-shield/security/schema-validation/), but no other [API Gateway](/api-shield/api-gateway/) features.
+Free, Pro, Business, and Enterprise customers without an API Shield subscription can access [Endpoint Management](/api-shield/management-and-monitoring/) and [Schema validation](/api-shield/security/schema-validation/), but no other [API Shield](/api-shield/) features.
 
-To subscribe to API Gateway, upgrade to an Enterprise plan and contact your account team.
+To subscribe to API Shield, upgrade to an Enterprise plan and contact your account team.
 
 Limits to endpoints apply to Endpoint Management and Schema validation. Refer to the table below for limits based on your zone plan. 
 
@@ -18,5 +18,5 @@ Limits to endpoints apply to Endpoint Management and Schema validation. Refer to
 | **Free** | 100 | 5 | 200 kB | `Block` only |
 | **Pro** | 250 | 5 | 500 kB | `Block` only |
 | **Business** | 500 | 10 | 2 MB | `Block` only |
-| **Enterprise without API Gateway** | 500 | 5 | 5 MB | `Log` or `Block` |
-| **Enterprise with API Gateway** | 10,000 | 10+ | 10+ MB | `Log` or `Block` |
+| **Enterprise without API Shield** | 500 | 5 | 5 MB | `Log` or `Block` |
+| **Enterprise with API Shield** | 10,000 | 10+ | 10+ MB | `Log` or `Block` |
@@ -185,9 +185,9 @@ Schema validation supports [OpenAPI Version 3.0.x schemas](https://spec.openapis
 
 Currently, API Shield does not support some features of API schemas, including the following: all responses, external references, non-basic path templating, or unique items.
 
-There is a limit of 10,000 total operations for enabled schemas for Enterprise customers subscribed to [API Gateway](/api-shield/api-gateway/). To raise this limit, contact your account team. 
+There is a limit of 10,000 total operations for enabled schemas for Enterprise customers subscribed to [API Shield](/api-shield/). To raise this limit, contact your account team. 
 
-For limits on Free, Pro, Business, or Enterprise customers not subscribed to API Gateway, refer to [Plans](/api-shield/plans/).
+For limits on Free, Pro, Business, or Enterprise customers not subscribed to API Shield, refer to [Plans](/api-shield/plans/).
 
 ### Required fields
 

@@ -25,7 +25,7 @@ The table below shows a non-exhaustive list of GraphQL Analytics API fields that
  | Zaraz | | US and EU <br/>`zarazActionsAdaptiveGroups` <br/> `zarazTrackAdaptiveGroups` <br/> `zarazTriggersAdaptiveGroups` |  |
  | Application Security | Advanced Certificate Manager | US and EU <br/> Only the fields `clientSSLProtocol` and `ja3Hash` part of `httpRequestsAdaptive` and `httpRequestsAdaptiveGroups` | |
  | Advanced DDoS Protection | | US and EU <br/> [`dosdAttackAnalyticsGroups`](/analytics/graphql-api/migration-guides/network-analytics-v2/node-reference/) <br/> [`dosdNetworkAnalyticsAdaptiveGroups`](/analytics/graphql-api/migration-guides/network-analytics-v2/node-reference/) <br/> [`flowtrackdNetworkAnalyticsAdaptiveGroups`](/analytics/graphql-api/migration-guides/network-analytics-v2/node-reference/) <br/> `advancedTcpProtectionNetworkAnalyticsAdaptiveGroups` <br/> `advancedDnsProtectionNetworkAnalyticsAdaptiveGroups` |
- | API Shield / API Gateway | | US and EU <br/> [`apiGatewayGraphqlQueryAnalyticsGroups`](/api-shield/security/graphql-protection/configure/#gather-graphql-statistics) <br/> `apiGatewayMatchedSessionIDsAdaptiveGroups` <br/> US only <br/> `apiRequestSequencesGroups` |
+ | API Shield | | US and EU <br/> [`apiGatewayGraphqlQueryAnalyticsGroups`](/api-shield/security/graphql-protection/configure/#gather-graphql-statistics) <br/> `apiGatewayMatchedSessionIDsAdaptiveGroups` <br/> US only <br/> `apiRequestSequencesGroups` |
  | Bot Management | | US and EU <br/>`httpRequestsAdaptive` <br/> [`httpRequestsAdaptiveGroups`](/analytics/graphql-api/migration-guides/graphql-api-analytics/) <br/> [`firewallEventsAdaptive`](/analytics/graphql-api/tutorials/querying-firewall-events/) <br/> [`firewallEventsAdaptiveGroups`](https://blog.cloudflare.com/how-we-used-our-new-graphql-api-to-build-firewall-analytics/) | |
  | DNS Firewall | Same as DNS |
  | DMARC Management | | US and EU <br/> `dmarcReportsAdaptive` <br/> `dmarcReportsSourcesAdaptiveGroups` | |

@@ -43,7 +43,7 @@ Cloud-based security and performance providers like Cloudflare work as a reverse
 
 Normal traffic flow without a reverse proxy would involve a client sending a DNS lookup request, receiving the origin IP address, and communicating directly to the origin server(s). This is visualized in Figure 1.
 
-When a reverse proxy is introduced, the client still sends a DNS lookup request to its resolver, which is the first stop in the DNS lookup. In this case, the DNS resolver returns a vendor’s reverse proxy IP address to the client and the client then makes a request to the vendor’s reverse proxy. The cloud-based proxy solution can now provide additional security, performance, and reliability services like [CDN](https://www.cloudflare.com/cdn/), [WAF](https://www.cloudflare.com/waf/), [DDoS](https://www.cloudflare.com/ddos/), [API Gateway](https://www.cloudflare.com/products/api-gateway/), [Bot Management](https://www.cloudflare.com/products/bot-management/) capabilities, etc, before deciding, based on security policy, whether to route the client request to the respective origin server(s). This is visualized in Figure 2.
+When a reverse proxy is introduced, the client still sends a DNS lookup request to its resolver, which is the first stop in the DNS lookup. In this case, the DNS resolver returns a vendor’s reverse proxy IP address to the client and the client then makes a request to the vendor’s reverse proxy. The cloud-based proxy solution can now provide additional security, performance, and reliability services like [CDN](https://www.cloudflare.com/cdn/), [WAF](https://www.cloudflare.com/waf/), [DDoS](https://www.cloudflare.com/ddos/), [API Shield](https://www.cloudflare.com/products/api-shield/), [Bot Management](https://www.cloudflare.com/products/bot-management/) capabilities, etc, before deciding, based on security policy, whether to route the client request to the respective origin server(s). This is visualized in Figure 2.
 
 ![Figure 2: Client request routed through reverse proxy for additional security and performance services](~/assets/images/reference-architecture/multi-vendor-architecture-images/Figure_2.png "Figure 2")
 

@@ -137,7 +137,7 @@ The reason the Cloudflare network exists is to provide services to customers to
       2. [Web Application Firewall (WAF)](#web-application-firewall-waf)
       3. [Rate limiting](#rate-limiting)
       4. [L7 DDoS](#l7-ddos)
-      5. [API Gateway](#api-gateway)
+      5. [API Shield](#api-shield)
       6. [Bot Management](#bot-management)
       7. [Page Shield](#page-shield)
       8. [SSL/TLS](#ssltls)
@@ -194,7 +194,7 @@ Cloudflare security products that can be used for L3 and L4 security include Clo
 
 - Layer 7, referred to as the “application layer,” is the top layer of the data processing that occurs just below the surface or behind the scenes of the software applications that users interact with. HTTP and API requests/responses are layer 7 events.
 
-Cloudflare has a suite of application security products that includes [Web Application Firewall](/waf/) (WAF), [Rate Limiting](/waf/rate-limiting-rules/), [L7 DDoS](/ddos-protection/managed-rulesets/http/), [API Gateway](/api-shield/api-gateway/), [Bot Management](/bots/), and [Page Shield](/page-shield/).
+Cloudflare has a suite of application security products that includes [Web Application Firewall](/waf/) (WAF), [Rate Limiting](/waf/rate-limiting-rules/), [L7 DDoS](/ddos-protection/managed-rulesets/http/), [API Shield](/api-shield/), [Bot Management](/bots/), and [Page Shield](/page-shield/).
 
 Note that SaaS applications could be considered both public and private. For example, Salesforce has direct Internet-facing access but contains very private information and is usually only accessible by employee accounts that are provisioned by IT. For the purpose of this document, we will consider SaaS applications as private resources.
 
@@ -256,7 +256,7 @@ Products: [WAF - Cloudflare Managed Rules](/waf/managed-rules/)
 
 Unauthorized access can result from broken authentication or broken access control due to vulnerabilities in authentication, weak passwords, or easily bypassed authorization. Cloudflare mTLS (mutual TLS) and JWT (JSON Web Tokens) validation can be used to bolster authentication. Clients or API requests that don’t have a valid certificate or JWT can be denied access via security policy. Customers can create and manage mTLS certificates from the Cloudflare dashboard or an API. Cloudflare’s WAF and [Exposed Credentials Check](/waf/managed-rules/check-for-exposed-credentials/) managed ruleset can be used to detect compromised credentials being used in authentication requests. WAF policies can also be used to restrict access to applications/paths based on different request criteria.
 
-Products: [SSL/TLS - mTLS](/ssl/client-certificates/enable-mtls/), [API Gateway (JWT Validation)](/api-shield/security/jwt-validation/), [WAF](/waf/)
+Products: [SSL/TLS - mTLS](/ssl/client-certificates/enable-mtls/), [API Shield (JWT Validation)](/api-shield/security/jwt-validation/), [WAF](/waf/)
 
 ##### Client-side attacks
 
@@ -279,7 +279,7 @@ Products: [Page Shield](/page-shield/)
 
 ##### Data exfiltration
 
-Data exfiltration is the process of acquiring sensitive data through malicious tactics or through misconfigured services. Cloudflare Sensitive Data Detection addresses common data loss threats. Within the WAF, these rules monitor the download of specific sensitive data — for example, financial and personally identifiable information. Specific patterns of sensitive data are matched upon and logged. Sensitive data detection is also integrated with API Gateway so customers are alerted on any API responses returning sensitive data matches.
+Data exfiltration is the process of acquiring sensitive data through malicious tactics or through misconfigured services. Cloudflare Sensitive Data Detection addresses common data loss threats. Within the WAF, these rules monitor the download of specific sensitive data — for example, financial and personally identifiable information. Specific patterns of sensitive data are matched upon and logged. Sensitive data detection is also integrated with API Shield so customers are alerted on any API responses returning sensitive data matches.
 
 Products: [WAF - Sensitive Data Detection](/waf/managed-rules/)
 
@@ -315,9 +315,9 @@ Products: [Bot management](/bots/), [WAF](/waf/)
 
 [Fuzzing](https://owasp.org/www-community/Fuzzing) is an automated testing method used by malicious actors that uses various combinations of data and patterns to inject invalid, malformed, or unexpected inputs into a system. The malicious user hopes to find defects and vulnerabilities that can then be exploited. Cloudflare WAF leverages machine learning to detect fuzzing based attempts to bypass security policies. The WAF attack score complements managed rules and highlights the likeliness of an attack.
 
-Bot Management can detect potentially malicious bots by automating vulnerability scanning. With API Gateway, customers can employ schema validation and sequence mitigation to prevent the automated scanning and fuzzing techniques with APIs.
+Bot Management can detect potentially malicious bots by automating vulnerability scanning. With API Shield, customers can employ schema validation and sequence mitigation to prevent the automated scanning and fuzzing techniques with APIs.
 
-Products: [WAF](/waf/), [Bot Management](/bots/), [API Gateway](/api-shield/api-gateway/)
+Products: [WAF](/waf/), [Bot Management](/bots/), [API Shield](/api-shield/)
 
 ##### Cross-Site Scripting (XSS) attacks
 
@@ -390,17 +390,17 @@ Customers can also configure which request criteria is used as a counter for det
 
 The Cloudflare [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/) managed ruleset is a set of pre-configured rules used to match known DDoS attack vectors at layer 7 (application layer) on the Cloudflare global network. The rules match known attack patterns and tools, suspicious patterns, protocol violations, requests causing large amounts of origin errors, excessive traffic hitting the origin/cache, and additional attack vectors at the application layer. Cloudflare updates the list of rules in the managed ruleset on a regular basis.
 
-##### API Gateway
+##### API Shield
 
-[API Gateway](/api-shield/api-gateway/) is Cloudflare’s API management and security product. API Gateway delivers visibility via API discovery and analytics, provides endpoint management, implements a positive security model, and prevents API abuse.
+[API Shield](/api-shield/) is Cloudflare’s API management and security product. API Shield delivers visibility via API discovery and analytics, provides endpoint management, implements a positive security model, and prevents API abuse.
 
 ![All security detection can be seen from a single dashboard.](~/assets/images/reference-architecture/security/security-ref-arch-10.svg)
 
 API Gateway’s API Discovery is used to learn all API endpoints in a customer’s environment using machine learning. After this step, customers can save endpoints to Endpoint Management so additional API performance and error information can be collected and security policies can be applied.
 
 Customers can enable a positive security model using mTLS, JWT validation, and schema validation and protect against additional API abuse with rate limiting and volumetric abuse protection as well as sequence mitigation and GraphQL protections.
 
-![The API gateway has many stages, discovery, review, using a positive security model, abuse protection, data protection and endpoint management/monitoring.](~/assets/images/reference-architecture/security/security-ref-arch-11.svg "Common user workflow for API Gateway")
+![API Shield has many stages, discovery, review, using a positive security model, abuse protection, data protection and endpoint management/monitoring.](~/assets/images/reference-architecture/security/security-ref-arch-11.svg "Common user workflow for API Shield")
 
 ##### Bot Management
 

@@ -188,7 +188,7 @@ We now have secure application access to the origin(s) via Tunnel and also authe
 
 In the current setup, the origin server(s) are securely connected to the Cloudflare network via Cloudflare Tunnel and Cloudflare Access via policies enforcing authentication and other security requirements.
 
-Since Cloudflare is already set up and acting as a reverse proxy for the site, traffic is being directed through Cloudflare, so all Cloudflare services can easily be leveraged including CDN, Security Analytics, WAF, API Gateway, Bot Management, Page Shield for client-side security, etc.
+Since Cloudflare is already set up and acting as a reverse proxy for the site, traffic is being directed through Cloudflare, so all Cloudflare services can easily be leveraged including CDN, Security Analytics, WAF, API Shield, Bot Management, Page Shield for client-side security, etc.
 
 When a DNS lookup request is made by a client for the respective website, in this case "cftestsite3.com," Cloudflare returns an anycast IP address, so all traffic is directed to the closest data center where all services will be applied before the request is forwarded over Cloudflare Tunnel to the origin server(s).
 
@@ -225,7 +225,7 @@ Customers can use WAF to implement and use custom rules, rate limiting rules, an
   - Cloudflare OWASP Core Ruleset: block common web application vulnerabilities, some of which are in OWASP top 10
   - Cloudflare Leaked Credential Check: checks exposed credential database for popular content management system (CMS) applications
 
-The same methodology applies for all other Cloudflare Application Performance and Security products (API Gateway, Bot Management, etc.): once configured to route traffic through the Cloudflare network, customers can start leveraging the Cloudflare services. Figure 31 displays Cloudflare’s Bot Analytics which categorizes the traffic based on bot score, shows the bot score distribution, and other bot analytics. All of the request data is captured inline and all enforcement based on defined policies is also done inline.
+The same methodology applies for all other Cloudflare Application Performance and Security products (API Shield, Bot Management, etc.): once configured to route traffic through the Cloudflare network, customers can start leveraging the Cloudflare services. Figure 31 displays Cloudflare’s Bot Analytics which categorizes the traffic based on bot score, shows the bot score distribution, and other bot analytics. All of the request data is captured inline and all enforcement based on defined policies is also done inline.
 
 ![Cloudflare provides analytics and insights into bot traffic including bot score distribution.](~/assets/images/reference-architecture/secure-application-delivery-design-guide/secure-app-dg-fig-31.png "Figure 31 : Cloudflare Bot Management - Bot Analytics.")