diff --git a/public/__redirects b/public/__redirects
index eaa478979ae4057..1bb0d9f6704e599 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -243,6 +243,7 @@
/api-shield/security/jwt-validation/configure/ /api-shield/security/jwt-validation/api/ 301
/api-shield/security/schema-validation/configure/ /api-shield/security/schema-validation/api/ 301
/api-shield/security/sequence-mitigation/configure/ /api-shield/security/sequence-mitigation/api/ 301
+/api-shield/frequently-asked-questions/ /api-shield/ 301
#autorag
/autorag/usage/recipes/ /ai-search/how-to/ 301
diff --git a/src/content/docs/api-shield/frequently-asked-questions.mdx b/src/content/docs/api-shield/frequently-asked-questions.mdx
deleted file mode 100644
index 5fe9e9f0cb39855..000000000000000
--- a/src/content/docs/api-shield/frequently-asked-questions.mdx
+++ /dev/null
@@ -1,72 +0,0 @@
----
-pcx_content_type: faq
-title: FAQ
-structured_data: true
-sidebar:
- order: 8
-
----
-
-## Why are my API endpoints not found by API Discovery?
-
-In most cases, this is due to the system not observing enough valid requests over a continuous period.
-
-API Discovery only looks at requests that satisfy all of the following criteria:
-
-1. Requests must return `2XX` response codes from the edge.
-2. Requests must not come directly from Cloudflare Workers.
-3. At least 500 requests are made to the discovered endpoint within a 10 day period.
-
-Endpoints discovered using session identifiers will be labeled as such in the dashboard. If the endpoints are not discovered through session identifiers, they will be discovered using our machine learning-based [API Discovery](/api-shield/security/api-discovery/).
-
----
-
-## How does Cloudflare calculate the recommended rate limit for my endpoint?
-
-
-Cloudflare uses both the volume and frequency of traffic to guide your recommended rate. We calculate the recommended rate value throughout the day, and the new calculation may equal the existing recommendation due to similar traffic profiles existing on your API. When we recalculate, we look at requests that happened in the last 24 hours.
-
-You can view the `P50`/`95`/`99` of your request count for more details under an endpoint’s expanded view.
-
----
-
-## Will I be able to access an endpoint’s data after I delete it?
-
-No. Cloudflare will stop tracking performance data when you delete an endpoint and its previous data will not be stored. This means that if you save this endpoint again, the metrics will start tracking from the point that you save it.
-
----
-
-### Why do I not receive threshold recommendations for my discovered API endpoints?
-
-Thresholds can only be recommended for endpoints that receive sufficient levels of traffic that meet the following criteria:
-
-- Only requests with the same criteria as API Discovery are considered.
-- If traffic has been erratic or intermittent to this endpoint, the threshold might not show up. Cloudflare needs endpoints to receive sufficient valid traffic in any 24-hour period in the last 7 days or since the initial discovery of the endpoint to make statistically safe threshold suggestions.
-- Cloudflare also requires at least 50 distinct sessions to have accessed the endpoint in any 24-hour period in the last 7 days or since the initial discovery of the endpoint. To detect sessions, you must set up [session identifiers](/api-shield/get-started/#session-identifiers).
-
-If you do not receive threshold recommendations for a discovered endpoint, you will see one of the following error codes:
-
-- `404 response`: Cloudflare has not seen sufficient valid traffic for this zone to generate recommendations.
-- `551 response`: Cloudflare has successfully generated recommendations at some point in the past, but we have not seen sufficient recent valid traffic to provide up-to-date recommendations.
-
----
-
-## Does API Shield work for JDCloud customers?
-
-Not currently.
-
----
-
-## What version of OpenAPI specification do you support?
-
-The importing ([Schema validation](/api-shield/security/schema-validation/)) and exporting ([Schema learning](/api-shield/management-and-monitoring/#endpoint-schema-learning)) of OpenAPI schemas from our product to customers is done using **OpenAPI v3.0**. Any specifications using patched versions (3.0.x) are compatible as well.
-
----
-
-## Why am I not seeing latency metrics?
-
-Latency metrics currently are not supported when a Cloudflare Worker is running on the URL, as the requests are not passed directly to your origin.
-
-Some Cloudflare products such as [Waiting Room](/waiting-room/) are built on top of Workers, so the same limitations apply to applications using these products.
-
-
diff --git a/src/content/docs/api-shield/index.mdx b/src/content/docs/api-shield/index.mdx
index b103de1f8cc1cbc..98a849ee2fe6c1e 100644
--- a/src/content/docs/api-shield/index.mdx
+++ b/src/content/docs/api-shield/index.mdx
@@ -11,7 +11,6 @@ head:
import { Description, Feature, Plan, RelatedProduct, Render } from "~/components"
-
Identify and address your API vulnerabilities.
@@ -49,6 +48,10 @@ Cloudflare API Security products are available to Enterprise customers only, tho
The full API Shield security suite is available as an Enterprise-only paid add-on, but all customers can access [Endpoint Management](/api-shield/management-and-monitoring/) and [Schema validation](/api-shield/security/schema-validation/) functionalities.
+:::note
+API Shield currently does not work for JDCloud customers.
+:::
+
## Related products
diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx
index 7dcddaca4925b49..d3a4ca8e1fb7596 100644
--- a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx
+++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx
@@ -183,6 +183,10 @@ You can delete endpoints one at a time or in bulk.
+:::caution
+When you delete an endpoint from Endpoint Management, Cloudflare immediately stops tracking all associated performance and analytics data. The endpoint's previous historical metrics are permanently removed and cannot be restored. If you later save this endpoint again, metric tracking will resume, starting from the point the endpoint is re-saved.
+:::
+
## Endpoint Analysis
For each saved endpoint, customers can view:
@@ -218,3 +222,14 @@ Once Sensitive Data Detection is enabled for your zone, API Shield queries firew
API Shield displays the types of sensitive data found if you expand the Endpoint Management table row to view further details. Select **Explore Events** to view the matched events in Security Events.
After Sensitive Data Detection is enabled for your zone, you can [browse the Sensitive Data Detection ruleset](https://dash.cloudflare.com/?to=/:account/:zone/security/data/ruleset/e22d83c647c64a3eae91b71b499d988e/rules). The link will not work if Sensitive Data Detection is not enabled.
+
+## Limitations
+
+Certain performance metrics, such as latency, are not supported when a request is handled by a Cloudflare service in a way that prevents it from being passed directly to your origin server.
+
+This limitation is specifically observed when:
+
+- A Cloudflare Worker is running on the URL path.
+- Other products built on top of Workers, such as [Waiting Room](/waiting-room/), are active on the application.
+
+In these scenarios, the system is unable to accurately measure the origin response time, and the metric will not be populated in the dashboard.
\ No newline at end of file
diff --git a/src/content/docs/api-shield/security/api-discovery.mdx b/src/content/docs/api-shield/security/api-discovery.mdx
index a907b4584a0fea5..c3ff29bc11353bc 100644
--- a/src/content/docs/api-shield/security/api-discovery.mdx
+++ b/src/content/docs/api-shield/security/api-discovery.mdx
@@ -91,6 +91,18 @@ If all of your zone’s API traffic contains the endpoint abuse based on common user traffic.
+Cloudflare looks for endpoint abuse based on user traffic to individual endpoints.
For example, your API might see different levels of traffic to a `/reset-password` endpoint than a `/login` endpoint. Additionally, your `/login` endpoint might see higher than average traffic after a successful marketing campaign.
@@ -25,11 +23,9 @@ Volumetric Abuse Detection rate limits are a way to prevent blatant volumetric a
## Process
-Volumetric Abuse Detection analyzes your API’s individual session traffic statistics to recommend per-endpoint, per-session rate limits.
-
-Volumetric Abuse Detection currently requires a session identifier, like an authorization token available as a request header or cookie.
+Volumetric Abuse Detection analyzes your API's individual session traffic statistics to recommend per-endpoint, per-session rate limits.
-After adding a session identifier, allow 24 hours for rate limit recommendations to appear on endpoints in the Cloudflare dashboard.
+To access your endpoints:
Old dashboard: **Security** > **API Shield** > **Endpoint Management**
@@ -37,10 +33,24 @@ New dashboard: **Security** > **Web Assets** > **Endpoints**
Recommendations will continue to update if your traffic pattern changes.
-### Observe rate limits
+### Requirements
+
+Volumetric Abuse Detection generates rate limit thresholds only after collecting sufficient, statistically safe traffic data for an endpoint. If recommendations are missing for a discovered endpoint, the traffic likely failed to meet the necessary criteria.
+
+Thresholds are suggested only for endpoints that satisfy all of the following requirements within the last seven days (or since initial discovery):
+
+- The endpoint must receive sufficient valid traffic (traffic that meets the [API Discovery](/api-shield/security/api-discovery/#requirements) criteria). Intermittent or erratic traffic may prevent suggestions.
+- The endpoint must be accessed by at least 50 distinct sessions in any 24-hour period during the last seven days.
+- Session identifiers, such as an authorization token available as a request header or cookie, must be configured to allow Cloudflare to accurately detect individual sessions and perform the required per-session rate analysis.
+
+After adding a session identifier, allow 24 hours for rate limit recommendations to appear on endpoints in the Cloudflare dashboard.
+
+### Rate limiting recommendation calculation
Once rate limit recommendations appear in **Endpoints**, select the endpoint row to view more detail about the recommendation. You will see the overall recommended rate limit value, as well as p99, p90, and p50 rate limit values.
+We calculate the recommended rate limit value throughout the day, and the new calculation may equal the existing recommendation due to similar traffic profiles existing on your API. When we recalculate, we look at requests that happened in the last 24 hours.
+
Cloudflare recommends choosing the overall rate limit recommendation, as our analysis includes the variance of the request rate distribution across your API sessions. Choosing a single p-value may cause false positives due to a high number of outliers.
:::note[p-values]