API protection
Back to home
  1. VNIS Help Center
  2. Origin Shield
  3. API protection

How the VNIS API protection works?

VNIS API protection is an access control method on the Origin Shield (Origin Shield is an intermediate node found between the CDN/edge and the origin) through token authentication. Using VNIS’ token authentication, customers can implement access control via URL tokens without having to build complex back-end systems. There are 2 applications of VNIS Token Authentication:

  • API Requests Authentication
  • Validating Mobile Apps

For both applications, VNIS will check the tokens at the Origin Shield before any request is relayed to the origin. And if the token is not valid, the request will be blocked. Since VNIS handles all the token validation on the Origin Shield, the origin server does not need to have complex authentication logic. In addition, a malicious user who attempts to forge tokens will be blocked from ever reaching the origin.

When you're implementing API protection via VNIS, you'll be asked to do the following:

  1. Define API protection rules - if the user request matches the rules defined then API protection will be initiated.
  2. Define time-limited API token settings - this defines the key and token settings on how the authentication server creates the API token.
    1. Create a key
    2. Set token lifespan
    3. Set custom parameter
    4. Activate and configure rate limit feature (optional)
  3. Implement script for generating API token - copy-paste the system-generated script to your authentication server. This script will be used by the authentication server to generate API tokens to be given to verified users.

Once done and activated, the end-users' journey when requesting an API will follow the illustration below:

  1. The end-user will login to the web application, and this will send a request to the authentication server. This authentication server must be pre-installed with an VNIS-generated script.
  2. If the authentication server verifies the account of the end-user, it will provide the time-limited API token to the end-user, in the form of a URL with a custom parameter The provided API token is configured to expire.
  3. The end-user will request a restricted/protected web service (API) from the Origin Shield server using API token.
  4. VNIS Origin Shield server will validate the API token and allow access based on the result. Since the end-user has an API token, he can successfully access the restricted web service through the WAF server.

VNIS token authentication can be used to validate an API request on the Origin Shield whether it is coming from a valid user, client, or a mobile device. VNIS can filter out non-authenticated or forged requests, and not let them pass to the origin API server.

Along with VNIS' Rate Limiting and WAF, a web or mobile application with an API can be validated at the Origin Shield server, protecting it from overuse and abuse.