cloudflare · patriciasantaana · Oct 8, 2025 · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025
@@ -243,6 +243,7 @@
 /api-shield/security/jwt-validation/configure/ /api-shield/security/jwt-validation/api/ 301
 /api-shield/security/schema-validation/configure/ /api-shield/security/schema-validation/api/ 301
 /api-shield/security/sequence-mitigation/configure/ /api-shield/security/sequence-mitigation/api/ 301
+/api-shield/frequently-asked-questions/ /api-shield/ 301
 
 #autorag
 /autorag/usage/recipes/ /ai-search/how-to/ 301

@@ -11,7 +11,6 @@ head:
 
 import { Description, Feature, Plan, RelatedProduct, Render } from "~/components"
 
-
 <Description>
 Identify and address your API vulnerabilities.
 </Description>
@@ -49,6 +48,10 @@ Cloudflare API Security products are available to Enterprise customers only, tho
 
 The full API Shield security suite is available as an Enterprise-only paid add-on, but all customers can access [Endpoint Management](/api-shield/management-and-monitoring/) and [Schema validation](/api-shield/security/schema-validation/) functionalities.
 
+:::note
+API Shield currently does not work for JDCloud customers.
+:::
+
 ## Related products
 
 <RelatedProduct header="DDoS Protection" href="/ddos-protection/" product="ddos-protection">

@@ -183,6 +183,10 @@ You can delete endpoints one at a time or in bulk.
   </TabItem>
 </Tabs>
 
+:::caution
+When you delete an endpoint from Endpoint Management, Cloudflare immediately stops tracking all associated performance and analytics data. The endpoint's previous historical metrics are permanently removed and cannot be restored. If you later save this endpoint again, metric tracking will resume, starting from the point the endpoint is re-saved.
+:::
+
 ## Endpoint Analysis
 
 For each saved endpoint, customers can view:
@@ -218,3 +222,14 @@ Once Sensitive Data Detection is enabled for your zone, API Shield queries firew
 API Shield displays the types of sensitive data found if you expand the Endpoint Management table row to view further details. Select **Explore Events** to view the matched events in Security Events.
 
 After Sensitive Data Detection is enabled for your zone, you can [browse the Sensitive Data Detection ruleset](https://dash.cloudflare.com/?to=/:account/:zone/security/data/ruleset/e22d83c647c64a3eae91b71b499d988e/rules). The link will not work if Sensitive Data Detection is not enabled.
+
+## Limitations
+
+Certain performance metrics, such as latency, are not supported when a request is handled by a Cloudflare service in a way that prevents it from being passed directly to your origin server.
+
+This limitation is specifically observed when:
+
+- A Cloudflare Worker is running on the URL path.
+- Other products built on top of Workers, such as [Waiting Room](/waiting-room/), are active on the application.
+
+In these scenarios, the system is unable to accurately measure the origin response time, and the metric will not be populated in the dashboard.
@@ -91,6 +91,18 @@ If all of your zone’s API traffic contains the <GlossaryTooltip term="session
 
 You can direct any feedback about your API Discovery results to your account team.
 
+## Requirements
+
+To ensure your API endpoints are successfully discovered and mapped by Cloudflare, traffic to the endpoint must meet specific operational criteria.
+
+If an endpoint does not appear in the Discovery inbox, it is typically because the system has not observed enough valid requests over a continuous period. API Discovery only processes requests that satisfy all of the following requirements:
+
+- The request must return a `2xx` response code from the Cloudflare edge.
+- The request must not come directly from Cloudflare Workers.
+- The endpoint must receive at least 500 requests within a 10-day period.
+
+Endpoints discovered using session identifiers will be labeled as such in the Cloudflare dashboard. If the endpoints are not discovered through session identifiers, they will be discovered using our machine learning-based [API Discovery](/api-shield/security/api-discovery/).
+
 ## Availability
 
 API Discovery is only available for Enterprise customers. If you are an Enterprise customer and interested in this product, contact your account team.
@@ -356,7 +356,13 @@ OpenAPI schemas generated by different tooling may not be specific enough to imp
 
 ## Limitations
 
-Schema validation supports [OpenAPI Version 3.0.x schemas](https://spec.openapis.org/oas/v3.0.3). OpenAPI 3.1 is not supported yet, and we do not plan to expand support for OpenAPI 2.0.
+Cloudflare API Shield's Schema validation (importing) and [Schema learning](/api-shield/management-and-monitoring/endpoint-management/schema-learning/) (exporting) capabilities rely on the [OpenAPI Specification (OAS) v3.0](https://spec.openapis.org/oas/v3.0.3).
+
+This support includes all patch versions, such as OAS v3.0.x. We do not currently support OAS v3.1 and do not plan to expand support for OpenAPI 2.0.
+
+:::note
+Cloudflare recommends using a third-party tool like [Swagger Editor](https://editor.swagger.io/) to ensure that all schemas are fully compliant with the OAS v3.0 specification before upload.
+:::
 
 Currently, API Shield does not support some features of API schemas, including the following: all responses, external references, non-basic path templating, or unique items.
 

@@ -11,8 +11,6 @@ import { GlossaryTooltip, Steps, Render, APIRequest } from "~/components"
 
 Cloudflare Volumetric Abuse Detection helps you set up a system of adaptive rate limiting.
 
-## About
-
 After [API Discovery](/api-shield/security/api-discovery/), Cloudflare looks for <GlossaryTooltip term="API endpoint">endpoint</GlossaryTooltip> abuse based on common user traffic.
 
 For example, your API might see different levels of traffic to a `/reset-password` endpoint than a `/login` endpoint. Additionally, your `/login` endpoint might see higher than average traffic after a successful marketing campaign.
@@ -25,22 +23,41 @@ Volumetric Abuse Detection rate limits are a way to prevent blatant volumetric a
 
 ## Process
 
-Volumetric Abuse Detection analyzes your API’s individual session traffic statistics to recommend per-endpoint, per-session rate limits.
-
-Volumetric Abuse Detection currently requires a <GlossaryTooltip term="session identifier" link="/api-shield/get-started/#to-set-up-session-identifiers">session identifier</GlossaryTooltip>, like an authorization token available as a request header or cookie.
+Volumetric Abuse Detection analyzes your API's individual session traffic statistics to recommend per-endpoint, per-session rate limits.
 
-After adding a session identifier, allow 24 hours for rate limit recommendations to appear on endpoints in the Cloudflare dashboard.
+To access your endpoints: 
 
 Old dashboard: **Security** > **API Shield** > **Endpoint Management**
 
 New dashboard: **Security** > **Web Assets** > **Endpoints**
 
 Recommendations will continue to update if your traffic pattern changes.
 
-### Observe rate limits
+### Requirements
+
+Volumetric Abuse Detection generates rate limit thresholds only after collecting sufficient, statistically safe traffic data for an endpoint. If recommendations are missing for a discovered endpoint, the traffic likely failed to meet the necessary criteria.
+
+Thresholds are suggested only for endpoints that satisfy all of the following requirements within the last seven days (or since initial discovery):
+
+- The endpoint must receive sufficient valid traffic (traffic that meets the [API Discovery](/api-shield/security/api-discovery/) criteria). Intermittent or erratic traffic may prevent suggestions.
+- The endpoint must be accessed by at least 50 distinct sessions in any 24-hour period.
+- <GlossaryTooltip term="session identifier" link="/api-shield/get-started/#to-set-up-session-identifiers">Session identifiers</GlossaryTooltip>, such as an authorization token available as a request header or cookie, must be configured to allow Cloudflare to accurately detect individual sessions and perform the required per-session rate analysis.
+
+After adding a session identifier, allow 24 hours for rate limit recommendations to appear on endpoints in the Cloudflare dashboard.
+
+If recommendations fail to generate, one of the following response codes may appear in the Cloudflare dashboard:
+
+| Error code | Description |
+| --- | --- |
+| `404 response` | Cloudflare has not seen sufficient valid traffic for this zone to generate initial recommendations. |
+| `551 response` | Cloudflare previously generated recommendations, but we have not seen sufficient recent valid traffic to provide up-to-date suggestions. |
+
+### Rate limiting recommendation calculation 
 
 Once rate limit recommendations appear in **Endpoints**, select the endpoint row to view more detail about the recommendation. You will see the overall recommended rate limit value, as well as p99, p90, and p50 rate limit values.
 
+We calculate the recommended rate limit value throughout the day, and the new calculation may equal the existing recommendation due to similar traffic profiles existing on your API. When we recalculate, we look at requests that happened in the last 24 hours.
+
 Cloudflare recommends choosing the overall rate limit recommendation, as our analysis includes the variance of the request rate distribution across your API sessions. Choosing a single p-value may cause false positives due to a high number of outliers.
 
 :::note[p-values]