How to handle the case when the WAF is active, the API can be used but the challenge verification is not active, when the WAF is turned off then the challenge verification is active. My question is how to set it up so that the API and verification challenges can run simultaneously.