cloudflare · kodster28 · Aug 18, 2025 · Aug 18, 2025
@@ -1,6 +1,6 @@
 ---
 title: Build Agents on Cloudflare
-type: overview
+
 pcx_content_type: overview
 tags:
   - AI

@@ -1,5 +1,5 @@
 ---
-type: overview
+
 pcx_content_type: reference
 title: Network Analytics v1 to Network Analytics v2
 sidebar:

@@ -1,5 +1,5 @@
 ---
-type: overview
+
 pcx_content_type: reference
 title: NAv1 to NAv2 schema map
 sidebar:

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: concept
-type: overview
+
 title: API Gateway
 sidebar:
   order: 7

@@ -1,7 +1,7 @@
 ---
 title: Cloudflare API Shield
 pcx_content_type: overview
-type: overview
+
 sidebar:
   order: 1
 head:
@@ -12,7 +12,7 @@ head:
 import { Description, Feature, Plan, RelatedProduct, Render } from "~/components"
 
 <Description>
-Identify and address your API vulnerabilities. 
+Identify and address your API vulnerabilities.
 </Description>
 
 <Plan type="ent-add-on" />
@@ -35,7 +35,7 @@ Refer to the [Get started](/api-shield/get-started/) guide to set up API Shield.
 ## Features
 
 <Feature header="Security features" href="/api-shield/security/">
-Secure your APIs using API Shield's security features. 
+Secure your APIs using API Shield's security features.
 </Feature>
 
 <Feature header="Management, monitoring, and more" href="/api-shield/management-and-monitoring/">
@@ -51,5 +51,5 @@ The full API Shield security suite is available as an Enterprise-only paid add-o
 ## Related products
 
 <RelatedProduct header="DDoS Protection" href="/ddos-protection/" product="ddos-protection">
-Cloudflare DDoS protection secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised. 
+Cloudflare DDoS protection secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.
 </RelatedProduct>
@@ -1,6 +1,6 @@
 ---
 pcx_content_type: how-to
-type: overview
+
 title: API Routing
 sidebar:
   order: 4

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: how-to
-type: overview
+
 title: Build developer portals
 sidebar:
   order: 5

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: how-to
-type: overview
+
 title: Endpoint labeling service
 sidebar:
   order: 2

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: concept
-type: overview
+
 title: Endpoint Management
 sidebar:
   order: 1

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: concept
-type: overview
+
 title: Schema learning
 sidebar:
   order: 2

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: how-to
-type: overview
+
 title: Session identifiers
 sidebar:
   order: 3

@@ -1,7 +1,7 @@
 ---
 title: Plans
 pcx_content_type: overview
-type: overview
+
 sidebar:
   order: 3
 
@@ -11,7 +11,7 @@ Free, Pro, Business, and Enterprise customers without an API Shield subscription
 
 To subscribe to API Shield, upgrade to an Enterprise plan and contact your account team.
 
-Limits to endpoints apply to Endpoint Management and Schema validation. Refer to the table below for limits based on your zone plan. 
+Limits to endpoints apply to Endpoint Management and Schema validation. Refer to the table below for limits based on your zone plan.
 
 | Plan type | Saved endpoints | Uploaded schemas | Total uploaded schema size | Rule action |
 | --- | --- | --- | --- | --- |

@@ -1,24 +1,24 @@
 ---
 title: Classic Schema validation (deprecated)
 pcx_content_type: how-to
-type: overview
+
 head:
   - tag: title
     content: Configure Classic Schema validation (deprecated)
 sidebar:
   badge:
     text: Deprecated
   order: 1
-  label: Classic Schema validation 
+  label: Classic Schema validation
 
 ---
 
 import { GlossaryTooltip } from "~/components"
 
 :::caution[Deprecation notice]
-Classic Schema validation has been deprecated. 
+Classic Schema validation has been deprecated.
 
-Upload all new schemas to [Schema validation 2.0](/api-shield/security/schema-validation/). 
+Upload all new schemas to [Schema validation 2.0](/api-shield/security/schema-validation/).
 :::
 
 Use the **API Shield** interface to configure [API Schema validation](/api-shield/security/schema-validation/), which validates requests according to the <GlossaryTooltip term="API schema">API schema</GlossaryTooltip> you provide.
@@ -29,7 +29,7 @@ If you are in the Schema validation 2.0, you can make changes to your settings b
 
 :::note
 
-This feature is only available for customers on an Enterprise plan. Contact your Cloudflare Customer Success Manager to get access. 
+This feature is only available for customers on an Enterprise plan. Contact your Cloudflare Customer Success Manager to get access.
 :::
 
 ## Create an API Shield with Schema validation
@@ -42,7 +42,7 @@ To configure Schema validation in the Cloudflare dashboard:
 4. Enter a descriptive name for your policy and optionally edit the expression to trigger Schema validation. For example, if your API is available at `http://api.example.com/v1`, include a check for the *Hostname* field — equal to `api.example.com` — and a check for the *URI Path* field using a regular expression — matching the regex `^/v1`.
 :::caution[Important]
 
-To validate the hostname, you must include the *Hostname* field explicitly in the rule, even if the hostname value is in the schema file. Any hostname value present in the schema file will be ignored. 
+To validate the hostname, you must include the *Hostname* field explicitly in the rule, even if the hostname value is in the schema file. Any hostname value present in the schema file will be ignored.
 :::
 5. Select **Next**.
 6. Upload your schema file.

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: concept
-type: overview
+
 title: API Discovery
 sidebar:
   order: 1
@@ -59,7 +59,7 @@ API Discovery is an ongoing process. Check back regularly for new API Discovery
 
 :::note
 
-Cloudflare will use your feedback on the ignored endpoints to better train the API Discovery Machine Learning model in a future release. 
+Cloudflare will use your feedback on the ignored endpoints to better train the API Discovery Machine Learning model in a future release.
 :::
 
 ### Machine Learning-based Discovery
@@ -71,14 +71,14 @@ To access Machine Learning-based Discovery:
 <Tabs syncKey="dashNewNav">
   <TabItem label="Old dashboard">
     <Steps>
-      1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. 
-      2. Go to **API Shield** > **Discovery**. 
+      1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
+      2. Go to **API Shield** > **Discovery**.
       3. Filter the source results by `Session Identifier` or `Machine Learning` to view results from each Discovery method.
     </Steps>
   </TabItem>
   <TabItem label="New dashboard" icon="rocket">
     <Steps>
-      1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. 
+      1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
       2. Go to **Web assets** > **Discovery**
       3. Filter the source results by `Session Identifier` or `Machine Learning` to view results from each Discovery method.
     </Steps>

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: concept
-type: overview
+
 title: Authentication Posture
 sidebar:
   order: 9
@@ -32,7 +32,7 @@ After configuring [session identifiers](/api-shield/get-started/#session-identif
       4. Select an endpoint to see its authentication posture details on the endpoint details page.
       5. Choose between the 24-hour and 7-day view options, and note any authentication changes over time.
     </Steps>
-  </TabItem> 
+  </TabItem>
   <TabItem label="New dashboard" icon="rocket">
     <Steps>
       1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
@@ -44,7 +44,7 @@ After configuring [session identifiers](/api-shield/get-started/#session-identif
   </TabItem>
 </Tabs>
 
-The main authentication widget displays how many successful requests over the last seven days had session identifiers included with them, and which identifiers were included with the traffic. 
+The main authentication widget displays how many successful requests over the last seven days had session identifiers included with them, and which identifiers were included with the traffic.
 
 The authentication-over-time chart shows a detailed breakdown over time of how clients successfully interacted with your API and which identifiers were used. A large increase in unauthenticated traffic may signal a security incident. Similarly, any successful unauthenticated traffic on an endpoint that is expected to be 100% authenticated can be a cause for concern.
 
@@ -58,6 +58,6 @@ You can use the `cf.api_gateway.auth_id_present` field in [custom rules](/waf/cu
 
 Authentication Posture can only apply when customers accurately set up session identifiers in API Shield. As a reminder, session identifiers are meant to uniquely identify authenticated users of your API. If you are unsure of your API's session identifier, consult with your development team.
 
-## Availability 
+## Availability
 
 Authentication Posture is available for all Enterprise subscriptions with API Shield.
@@ -1,6 +1,6 @@
 ---
 pcx_content_type: concept
-type: overview
+
 title: Broken Object Level Authorization vulnerability detection
 sidebar:
   badge:
@@ -21,14 +21,14 @@ BOLA vulnerabilities are as dangerous as an account takeover. Successfully explo
 
 Cloudflare labels endpoints with BOLA risk when we detect two distinct signals common with attacks exploiting BOLA: **Parameter pollution** and **Enumeration**.
 
-- **Parameter pollution**: Cloudflare detects anomalies where one or more successful requests containing a value in an expected path, query string or header have that value duplicated in an unexpected, similar location. 
+- **Parameter pollution**: Cloudflare detects anomalies where one or more successful requests containing a value in an expected path, query string or header have that value duplicated in an unexpected, similar location.
 
     This behavior may be indicative of attackers trying to confuse the API’s authorization system and bypass security controls.
 
 - **Enumeration**: Cloudflare continually profiles all sessions on a per-endpoint basis and detects anomalous sessions that successfully request many unique data points from an API endpoint against what is normal.
 
 :::note
-Sessions that have more random behavior or repetition have a higher chance of triggering an alert. 
+Sessions that have more random behavior or repetition have a higher chance of triggering an alert.
 
 The BOLA enumeration label requires an endpoint to have seen at least 10,000 sessions before being eligible for outlier detection.
 :::

@@ -1,7 +1,7 @@
 ---
 title: Configure GraphQL malicious query protection via the API
 pcx_content_type: how-to
-type: overview
+
 sidebar:
    order: 2
    label: API

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: navigation
-type: overview
+
 title: Security
 sidebar:
   order: 4

@@ -1,7 +1,7 @@
 ---
 title: Configure JWT validation via the API
 pcx_content_type: how-to
-type: overview
+
 sidebar:
   order: 2
   label: API
@@ -21,7 +21,7 @@ A token configuration defines a JSON Web Key Set (JWKs), which is used to valida
 
 :::note
 
-A zone may have up to four token configurations. 
+A zone may have up to four token configurations.
 :::
 
 Token configurations require the following information:
@@ -179,7 +179,7 @@ To find the operation ID, refer to [Endpoint Management](/api-shield/management-
 
 A request must also match an operation covered by this rule to trigger an action.
 
-Refer to [Apply a rule to operations](#apply-a-rule-to-operations) for more information. 
+Refer to [Apply a rule to operations](#apply-a-rule-to-operations) for more information.
 :::
 
 A token validation rule's expression defines a security policy that a request must meet.
@@ -234,7 +234,7 @@ You can configure which operations JWT validation is enforced on using the `sele
 
 :::note
 
-Selectors will also apply to new operations. New operations that match an existing selector will automatically be covered by that token validation rule. 
+Selectors will also apply to new operations. New operations that match an existing selector will automatically be covered by that token validation rule.
 :::
 
 For example, the following selector will apply a rule to all operations in `v1.example.com` and `v2.example.com`, except for two operations on these hosts:
@@ -522,7 +522,7 @@ The input to updating the keys is the same as when creating a configuration wher
 
 Cloudflare will remove any fields that are unnecessary from each key and will drop keys that we do not support.
 
-It is highly recommended to validate the output of the <GlossaryTooltip term="API call">API call</GlossaryTooltip> to check that the resulting keys appear as intended. 
+It is highly recommended to validate the output of the <GlossaryTooltip term="API call">API call</GlossaryTooltip> to check that the resulting keys appear as intended.
 :::
 
 Use the `PUT` command to update keys.
@@ -624,22 +624,22 @@ Here is an overview of how JWT validation processes incoming requests:
 
 :::note
 
-The absence of matching keys directly marks the JWT as invalid. 
+The absence of matching keys directly marks the JWT as invalid.
 :::
 
 4. We validate the authenticity of the JWT by checking the signature using the selected key.
 5. Should the JWT contain an EXP claim (expiration time), we validate that the JWT is not expired.
 
 :::note
 
-We allow a mismatch of up to 60 seconds to account for clock drifts between the Cloudflare network and the JWT issuer. A token may still be regarded as valid one minute after it was supposed to expire when both clocks are perfectly in sync. 
+We allow a mismatch of up to 60 seconds to account for clock drifts between the Cloudflare network and the JWT issuer. A token may still be regarded as valid one minute after it was supposed to expire when both clocks are perfectly in sync.
 :::
 
 6. Should the JWT contain a NBF claim (not before time), we validate that the JWT is already valid.
 
 :::note
 
-The same accuracy applies as for EXP claims. As such, a token may be already regarded as valid one minute before its NBF claim in case of perfect synchronization between issuer and validator. 
+The same accuracy applies as for EXP claims. As such, a token may be already regarded as valid one minute before its NBF claim in case of perfect synchronization between issuer and validator.
 :::
 
 7. The final validation result and whether a token was present at all is made available to the WAF which applies the policy’s configured action (`log`/`block`).
@@ -1,7 +1,7 @@
 ---
 title: Configure the Worker
 pcx_content_type: how-to
-type: overview
+
 sidebar:
   order: 3
 head:

@@ -1,7 +1,7 @@
 ---
 title: Enhance Transform Rules
 pcx_content_type: how-to
-type: overview
+
 sidebar:
   order: 4
 head:
@@ -37,6 +37,6 @@ As an example, to send the `x-send-jwt-claim-user` request header to the origin,
 7. Set the value to:
     ```txt wrap
     lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "claim_name")
-    ``` 
+    ```
     `<TOKEN_CONFIGURATION_ID>` is your token configuration ID found in JWT validation and `claim_name` is the JWT claim you want to add to the header.
 </Steps>
@@ -1,7 +1,7 @@
 ---
 title: Configure Schema Validation via the API
 pcx_content_type: how-to
-type: overview
+
 sidebar:
     label: API
 head: