All Products
Search
Document Center

Edge Security Acceleration:Get started with API security

Last Updated:Jun 23, 2026

The API security feature of Edge Security Acceleration (ESA) helps prevent data breaches and service interruptions caused by unknown or deprecated APIs. It uses machine learning to continuously analyze your site's traffic, automatically discover API endpoints, and identify issues such as sensitive data leakage and API abuse.

Step 1: Configure session identifiers

To enable user-level API behavior analysis and anomaly detection, you must configure a session identifier before you use API security. ESA uses this identifier to identify each visitor and accurately detect user-specific attacks.

  1. In the ESA console, select Websites . In the Website column, click the target site.

  2. In the navigation pane on the left, choose Security > API Security.

  3. On the API Security page, click the Settings tab. In the Session Identifier section, click Add.image

  4. Select an identifier type: Header, Cookie, or JWT claims (requires an existing or new claim), and then enter the corresponding name.image

Step 2: Discover and evaluate APIs

After you configure the session identifier, ESA automatically starts discovering APIs. You can evaluate the discovered APIs and mark them as Managed or Ignored to ensure that your core business APIs are fully protected and unnecessary APIs are excluded.

Discover APIs

ESA uses machine learning and session identifiers to analyze your site's traffic and automatically discover its APIs.

Note

Only APIs that received valid requests in the last 30 days are included in the discovery results.

  1. In the ESA console, select Websites . In the Website column, click the target site.

  2. In the navigation pane on the left, choose Security > API Security.

  3. On the API Security page, select the API Discovery tab. ESA displays the total number of Discovered APIs and their details.image

Evaluate APIs

To help you quickly categorize APIs, ESA assigns one of the following statuses to discovered APIs:

Status

Security protection level

Recommended action

To Be Reviewed

No active protection. API calls do not trigger any API security mitigation policies.

High-risk state. Evaluate and mark the API as Managed or Ignored as soon as possible.

Managed

Ignore. ESA will no longer perform any statistics, analysis, or protection for this API.

Recommended. All public-facing business APIs should be in this state.

Ignored

Fully protected. Covered by comprehensive API Security detection and protection, including abnormal behavior analysis and attack prevention.

For APIs that are used for internal testing, are deprecated, or do not require security management.

Evaluate the discovered APIs as follows:

  1. In the ESA console, select Websites . In the Website column, click the target site.

  2. In the navigation pane on the left, choose Security > API Security.

  3. On the API Security page, select the API Discovery tab. In the To Be Reviewed section, click the Filter button to display all APIs that are pending evaluation.image

  4. In the list of APIs pending evaluation, mark an API as Managed or Ignored. You can also select multiple APIs and choose an action from the options below the list.image

FAQ

Why was my API not discovered?

Check the following items:

  1. Make sure that your site traffic passes through ESA.

  2. Make sure that the API received HTTP requests with a status code other than 5xx in the last 30 days.

  3. For new sites or low-traffic APIs, discovery may take 24 hours or longer to complete.

Can I manually add an API that was not discovered?

Yes, you can. For more information, see Add an API manually.