Protect your APIs
APIs are exposed to abuse, injection attacks, and unauthorized access. Cloudflare provides defense in depth with API Shield schema validation, per-endpoint rate limiting, mutual TLS (mTLS) client authentication, and security rules.
Discover, secure, and monitor your APIs. Learn more about API Shield.
- Schema validation - Reject requests that do not conform to your OpenAPI specification before they reach your origin
Limit request rates based on flexible matching criteria. Learn more about Rate Limiting.
- Rate limiting - Prevent abuse and volumetric attacks with per-IP or per-API-key request limits
Mutual TLS client certificate authentication. Learn more about mTLS.
- Client authentication - Require mutual TLS certificates for machine-to-machine communication
Get automatic protection from vulnerabilities and create your own custom rules. Learn more about Application Security.
- Attack protection - Application security's managed rulesets block SQL injection, Cross-Site Scripting (XSS), and other injection attacks
Zero Trust access control for applications and infrastructure. Learn more about Access.
- Identity providers - Integrate with Okta, Azure AD, Google Workspace, and other identity providers (IdPs) to gate API access
- Service tokens - Issue long-lived credentials for machine-to-machine authentication between services
Build and deploy serverless applications on Cloudflare's global network. Learn more about Workers.
- JWT validation - Verify and decode JSON Web Tokens (JWTs) at the edge before requests reach your backend
- Custom auth logic - Build any authentication scheme — API keys, Hash-based Message Authentication Code (HMAC) signatures, custom headers — directly at the edge