Authenticating URL purge requests via API

Fastly's URL purge feature allows you to purge individual URLs on your website. By default, authentication is not required to purge a URL with the Fastly API, but you can enable API token authentication in the Fastly web interface by adding a header or by using custom VCL.

WARNING

We recommend that all customers enable authentication for URL purge requests.

NOTE

All purge requests other than URL purges require authentication by default, as indicated in the API documentation.

Limitations and considerations

The solution outlined in this guide must be implemented on every service that requires authentication of URL purge requests. To enable purge authentication at the account level, contact support.

Enabling authentication in the Fastly web interface

You can enable API token authentication for URL purge requests by adding a header and optionally attaching a condition in the Fastly web interface.

Adding the header

  1. Log in to the Fastly web interface.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain. You can also click Compute services or CDN services to access a list of services by type.
  3. Click Edit configuration and then select the option to clone the active version.
  4. Click Content.
  5. Click Create header.

    Create a header window

  6. Fill out the Create a header fields as follows:

    • In the Name field, enter the name of your header rule (for example, Fastly Purge).
    • From the Type menu, select Request, and from the Action menu, select Set.
    • In the Destination field, enter http.Fastly-Purge-Requires-Auth.
    • In the Source field, enter "1".
    • From the Ignore if set menu, select No.
    • In the Priority field, enter 10.
  7. Click Create.

Attaching a condition

Attaching the following condition is optional. Without the condition, the header you just created will be added to all requests. With the condition, the header will be added to purge requests only.

  1. On the Content page, click Attach a condition to the right of your new header.

    Create a new request condition window

  2. Fill out the Create a new request condition fields as follows:

    • In the Name field, enter a descriptive name for the new condition (for example, Purge).
    • In the Apply if field, enter req.request == "FASTLYPURGE".
  3. Click Save and apply to.

  4. Click Activate to deploy your configuration changes.

Enabling authentication with VCL Snippets

You can also enable API token authentication for URL purge requests using VCL Snippets. Refer to the developer documentation for details on setting the Fastly-Purge-Requires-Auth header.

Purging URLs with an API token

After you've enabled API token authentication for URL purge requests, you'll need to provide your API token in the URL purge API request:

$ curl -X PURGE -H Fastly-Key:FASTLY_API_TOKEN https://www.example.com/

which would return this response:

{"status": "ok", "id": "1234567890"}
WARNING

If your website is not configured to use HTTPS, do not use the Fastly API to purge URLs. Doing so could expose your API token since the data in transit will not be encrypted.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.