Open up specific API endpoint for "random" IPs?

firewall
#1

Hello everyone,

I run a site where I sell “access” to one of my API’s that provide Json data. I like to host this api behind Cloudflare but I am worried that the firewall will block my customers.

A normal customer makes about 1000-5000 requests per day, but sometimes up to 100.000.

New customers joins automatically every day making it hard/impossible for me to manually white-list those customers website ip’s.

Should I try to add their IPs to the white-list of IPs using an API, if so where can I find the documentation for doing so?

Its important that the customers are able to start using the API directly after signup. And all the API calls are made by computers/websites, which makes me belive there is a high risk that the customers webservers will be blacklisted quickly.

#2

Assuming you do API key checking/authentication on your origin server, you could create a page rule for your API or API prefix (eg https://example.com/api/*) and either set it to “disable security” (if you think your API is likely to trigger WAF rules) or “security level: essentially off” (if you still want WAF to trigger).