Skip to content

ApiShieldConfiguration

Source: src/Cloudflare/ApiShield/Configuration.ts

The API Shield configuration of a Cloudflare zone — the session identifiers (“auth ID characteristics”) used to attribute API traffic to individual consumers for API Discovery and volumetric abuse detection.

The configuration is a zone singleton: it always exists (defaulting to an empty list), so this resource never creates or deletes anything physical. Reconcile PUTs the configuration when the observed characteristics differ from the desired ones; destroy restores the characteristics the zone had before Alchemy first managed them.

Requires an API Shield entitlement (Enterprise) — on other plans every operation fails with Cloudflare’s NotEntitled error (code 10403).

Configuring session identifiers

Section titled “Configuring session identifiers”

Identify sessions by an Authorization header

yield* Cloudflare.ApiShieldConfiguration("SessionIds", {
  zoneId: zone.zoneId,
  authIdCharacteristics: [{ name: "authorization", type: "header" }],
});

Identify sessions by a cookie and a JWT claim

yield* Cloudflare.ApiShieldConfiguration("SessionIds", {
  zoneId: zone.zoneId,
  authIdCharacteristics: [
    { name: "session_id", type: "cookie" },
    { name: '$.cf.token_configurations[?(@.title=="api")].sub', type: "jwt" },
  ],
});