Session identifiers
While not strictly required, it is recommended that you configure your session identifiers when getting started with API Shield. When Cloudflare inspects your API traffic for individual sessions, we can offer more tools for visibility, management, and control.
If you are unsure of the session identifiers that your API uses, consult with your development team.
Session identifiers should uniquely identify API clients. A common session identifier for API traffic is the Authorization
header. When a JSON Web Token (JWT) is used by the API for client authentication, its value may change over time. You can use a claim value inside the JWT such as sub
or email
as a session ID to uniquely identify the session over time.
- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to Security > API Shield.
- Select Settings.
- On Endpoint settings, select Manage identifiers.
- Choose the type of session identifier (cookie, HTTP header, or JWT claim).
- Enter the name of the session identifier.
- Select Save.
After setting up session identifiers and allowing some time for Cloudflare to learn your traffic patterns, you can view your per endpoint and per session rate limiting recommendations, as well as enforce per endpoint and per session rate limits by creating new rules. Session identifiers will allow you to view API Discovery results from session ID-based discovery and session traffic patterns in Sequence Analytics.