Complete documentation for API discovery, schema validation, and security.
APIs and microservices
Build, secure, and manage Application Programming Interfaces (APIs) with rate limiting, authentication, and observability. Cloudflare Workers deploys API handlers globally with automatic scaling. API Shield validates requests against your OpenAPI specification. Rate Limiting prevents abuse. mTLS authenticates machine-to-machine communication. Cloudflare Tunnel and Access secure internal microservices. Logpush and Workers Analytics Engine provide monitoring.
Protect your APIs with defense in depth:
- API Shield validates requests against your OpenAPI schema
- Security rules managed rulesets block SQL injection, XSS, and OWASP Top 10 vulnerabilities
- Rate Limiting prevents abuse and Distributed Denial of Service (DDoS) attacks
- mTLS (mutual TLS) authenticates known clients with certificates
Build APIs that run entirely on Cloudflare:
- Workers handles request routing and business logic
- D1 or KV stores application data
- Queues handles async processing and webhooks
Connect and secure internal services:
- Cloudflare Tunnel exposes services without public IPs
- Access enforces identity-based policies between services
- Workers acts as an API gateway for external consumers
- A Cloudflare account ↗.
- Node.js ↗ (version 16.17.0 or later) installed on your machine.
- Wrangler installed.
- A Cloudflare account ↗.
- A domain added to Cloudflare with DNS records proxied through Cloudflare. This is required for API Shield, rate limiting, and application security.
- For securing internal services with Cloudflare Tunnel and Access: a Cloudflare One organization created in the Cloudflare dashboard.
Code examples for building APIs with Workers.