Using the Next-Gen WAF API

  Last updated 2024-08-28

IMPORTANT

This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, check out the Fastly Next-Gen WAF API.

Our entire control panel is built API-first — this means that anything we can do, you can do as well via our RESTful/JSON API.

We’ve seen customers use our API a number of ways, but a common use case is importing our request data into a security information and event management (SIEM) solution (e.g., Datadog, Kibana, and Sumo Logic). With a SIEM, you can correlate your internal data with data from the Next-Gen WAF.

TIP

We offer a Terraform provider.

About API access tokens

Anyone with the appropriate permissions can connect to the API by creating and using personal API access tokens. Authenticate against our API using your email and access token.

By default, everyone has the ability to create and use API access tokens. However, owners can choose to restrict API Access Token creation and usage to specific people. All plans allow you to create up to 5 access tokens per person.

Managing API access tokens

Follow these steps when managing API access tokens.

Creating API access tokens

  1. Log in to the Next-Gen WAF control panel.

  2. From the My Profile menu, select API access tokens.

  3. Click Add API access token.

  4. In the Token name field, enter a name to identify the access token.

    IMPORTANT

    Don't use special characters (e.g., -, @, !, or %) in token names. These often result in a 400 Bad Request HTTP status code error being sent.

  5. Click Create API access token.

  6. Record the token in a secure location for your use.

    IMPORTANT

    This is the only time the token will be visible. Record the token and keep it secure. For your security, it will not appear in the control panel.

  7. Click Continue to finish creating the token.

Restricting permission to create and use API access tokens

Owners can restrict the creation and use of API access tokens. After doing so, Owners can then manually grant a specific person permission to create and use API access tokens.

API access tokens that were created before restrictions were activated will not be deleted. However, the users with existing tokens will need to be given permission to use API access tokens. Until a user is again granted permission to use API access tokens, the token will remain in a disabled state. After a user has been granted permission, the control panel will remember that permission moving forward.

Owners can enable API Access Token restrictions by following these steps:

  1. Log in to the Next-Gen WAF control panel.
  2. From the Corp Manage menu, select User Authentication.
  3. Navigate to the API access tokens section.
  4. In the Access token permissions field, select the Restrict access by user option. A message will be displayed warning you about this setting and its restrictions.
  5. Click Continue to proceed.
  6. Click Update API access tokens to save this change.

Granting permission to create and use API access tokens

When API access token creation and usage is restricted, only owners can enable other users to create API access tokens.

NOTE

After restricting API Access Token usage, Owners will also need to grant themselves permission to create and use API access tokens.

  1. Log in to the Next-Gen WAF control panel.
  2. From the Corp Manage menu, select Corp Users.
  3. Click on the user you want to grant permission to.
  4. Click Edit corp user.
  5. Under the Authentication section, select the Allow this user to create API access tokens checkbox.
  6. Click Update user.

Deleting API access tokens

  1. Log in to the Next-Gen WAF control panel.
  2. From the My Profile menu, select API access tokens.
  3. Click Delete to the right of the token you want to delete.
  4. Click Delete to confirm you want to delete the token.

Viewing Personal API Tokens

Owners can view a table of all access tokens across your corp by going to the Corp Manage menu and selecting API access tokens. This table shows the various statuses of each token (active, expired, disabled by owner), their creators, IPs they were used by, and expiration dates.

Managing Corporation-Wide API Access Token Settings

Follow these steps when managing corporation-wide API access token settings.

Setting Automatic Token Expirations

Owners can set API access tokens to automatically expire after a set period of time.

  1. Log in to the Next-Gen WAF control panel.

  2. From the Corp Manage menu, select User Authentication.

  3. Navigate to the API access tokens section.

  4. In the Access token expiration, select the Custom expiration option.

  5. Select one of the default periods of time, or select Custom to set a specific custom period of time.

    The expiration is based on the creation date of the token itself, not from the start of the expiration policy. For example if there's a 60-day-old token and you set a 30-day expiration policy, the token will instantly be expired. But if you later switch the expiration to 90 days, the token will be un-expired.

  6. Click Update API access tokens.

Restricting API Access Token Usage by IP

Owners can restrict the use of API access tokens to specific IP addresses.

  1. Log in to the Next-Gen WAF control panel.
  2. From the Corp Manage menu, select User Authentication.
  3. Navigate to the API access tokens section.
  4. In the Restrict usage by IP (optional) field, enter the IP addresses and IP ranges you want to limit token usage to. Enter each IP address on a new line.
  5. Click Update API access tokens.

Using Personal API access tokens

Golang

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package main


import (
    "encoding/json"
    "fmt"
    "io/ioutil"
    "log"
    "net/http"
    "os"
    "time"
)


var (
    // Defines the API endpoint
    endpoint = "https://dashboard.signalsciences.net/api/v0"
    email    = os.Getenv("SIGSCI_EMAIL")
    token    = os.Getenv("SIGSCI_TOKEN")
)


// Corp is a Signal Sciences corp (also known as account)
type Corp struct {
    Name         string
    DisplayName  string
    SmallIconURI string
    Created      time.Time
    SiteLimit    int
    Sites        struct {
        URI string
    }
    AuthType    string
    MFAEncorced bool
}


// CorpResponse is the response from the Signal Sciences API
// containing the corp (account) data.
type CorpResponse struct {
    Data []Corp
}


func main() {
    // No need for timestamps or anything
    log.SetFlags(0)


    // Get corps
    req, err := http.NewRequest("GET", endpoint+"/corps", nil)
    if err != nil {
        log.Fatal(err)
    }


    // Set headers
    req.Header.Set("x-api-user", email)
    req.Header.Set("x-api-token", token)
    req.Header.Set("Content-Type", "application/json")
    req.Header.Add("User-Agent", "SigSci Go-Example")


    // Make request
    var transport http.RoundTripper = &http.Transport{}
    response, err := transport.RoundTrip(req)
    if err != nil {
        log.Fatal(fmt.Sprintf("Error connecting to API: %v", err))
    }
    defer response.Body.Close()


    payload, err := ioutil.ReadAll(response.Body)
    if err != nil {
        log.Fatal(fmt.Sprintf("Unable to read API response: %v", err))
    }


    if response.StatusCode != http.StatusOK {
        log.Fatal(fmt.Sprintf("API request failed, status: %d, resp: %s", response.StatusCode, payload))
    }


    var corpResp CorpResponse
    err = json.Unmarshal(payload, &corpResp)
    if err != nil {
        log.Fatal(err)
    }


    // Print out corp (account) data
    fmt.Printf("%+v\n", corpResp.Data)
}

Python

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests, os


# Initial setup


endpoint = 'https://dashboard.signalsciences.net/api/v0'
email = os.environ.get('SIGSCI_EMAIL')
token = os.environ.get('SIGSCI_TOKEN')


# Fetch list of corps (accounts)


headers = {
    'Content-type': 'application/json',
    'x-api-user': email,
    'x-api-token': token
}
corps = requests.get(endpoint + '/corps', headers=headers)
print (corps.text)

Ruby

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
require 'net/http'
require 'json'


# Initial setup


endpoint = "https://dashboard.signalsciences.net/api/v0"
email = ENV['SIGSCI_EMAIL']
token = ENV['SIGSCI_TOKEN']


# Fetch list of corps (accounts)


corps_uri = URI(endpoint + "/corps")


http = Net::HTTP.new(corps_uri.host, corps_uri.port)
http.use_ssl = true


request = Net::HTTP::Get.new(corps_uri.request_uri)
request["x-api-user"] = email
request["x-api-token"] = token
request["Content-Type"] = "application/json"


response = http.request(request)
puts response.body

Shell

$ curl -H "x-api-user:$SIGSCI_EMAIL" -H "x-api-token:$ACCESS_TOKEN" -H "Content-Type: application/json" https://dashboard.signalsciences.net/api/v0/corps
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2025