> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gcore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Advanced API protection

export const MethodSection = ({children}) => children ?? null;

export const MethodSwitch = ({children}) => {
  const tabs = React.Children.toArray(children).map(c => {
    if (!c || !c.props) return null;
    if (c.props.id) return c;
    const inner = c.props.children;
    if (inner && inner.props && inner.props.id) return inner;
    return null;
  }).filter(Boolean);
  const firstId = tabs.length > 0 ? tabs[0].props.id : "";
  const [active, setActive] = React.useState(firstId);
  React.useEffect(() => {
    try {
      const saved = localStorage.getItem("gcore_docs_method");
      if (saved && tabs.find(t => t.props.id === saved)) {
        setActive(saved);
      }
    } catch (_) {}
  }, []);
  React.useEffect(() => {
    try {
      document.querySelectorAll("h2[id], h3[id]").forEach(heading => {
        const visible = heading.offsetParent !== null;
        document.querySelectorAll(`a[href="#${heading.id}"]`).forEach(link => {
          if (link.closest("h1,h2,h3,h4,h5,h6")) return;
          const li = link.closest("li");
          if (li) li.style.display = visible ? "" : "none";
        });
      });
    } catch (_) {}
    window.dispatchEvent(new Event("scroll"));
  }, [active]);
  const handleClick = id => {
    setActive(id);
    try {
      localStorage.setItem("gcore_docs_method", id);
    } catch (_) {}
  };
  return <div>
      <div className="not-prose flex gap-0 border-b border-zinc-200 dark:border-zinc-800 mb-8 mt-2" role="tablist">
        {tabs.map(tab => {
    const isActive = active === tab.props.id;
    return <button key={tab.props.id} role="tab" aria-selected={isActive} onClick={() => handleClick(tab.props.id)} className={["px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors cursor-pointer", isActive ? "border-primary text-primary" : "border-transparent text-zinc-500 hover:text-zinc-800 dark:hover:text-zinc-200"].join(" ")}>
              {tab.props.label}
            </button>;
  })}
      </div>

      {tabs.map(tab => <div key={tab.props.id} style={{
    display: active === tab.props.id ? "" : "none"
  }}>
          {tab.props.children}
        </div>)}
    </div>;
};

<MethodSwitch>
  <MethodSection id="portal" label="Customer Portal">
    <p>Our WAAP includes a pre-defined Advanced API protection policy group with multiple policies, allowing you to securely manage your API traffic and protect against unwanted or abusive usage of APIs. </p>

    <Info>
      **Info**

      This policy group is available in the *Enterprise* plan. To enable it for your domain, contact our [sales team](https://gcore.com/waap-contact-sales).
    </Info>

    ## Configure API Protection rules

    <p>Before you enable the API Protection rules, you need to [configure access to APIs by using reserved tags](/waap/api-discovery-and-protection/configure-api-access-with-reserved-tags). Without this configuration, the rules will not affect your API traffic. </p>

    <p>You can review and configure API Protection rules in the [Gcore Customer Portal](https://portal.gcore.com/accounts/reports/dashboard): </p>

    <p>1. Navigate to **WAAP** > **API Protection**. </p>

    <p>2. In the domain dropdown at the top of the page, select the needed domain.</p>

    <p>3. View and adjust the API protection rules as needed.</p>

    <Info>
      **Info**

      All advanced API protection policies are disabled by default. To enable a policy, turn on the toggle near that policy.
    </Info>

    ### Auth token protection

    <p>Prevent multiple authentication attempts and block access for users who repeatedly try to use invalid tokens to access the API. </p>

    <p>Before enabling this policy, you need to define your 0Auth token endpoints to ensure they are correctly tagged. Learn instructions on how to do this, check out the [Tag generating rules](/waap/waap-rules/custom-rules/tag-rules#tag-generating-rules) guide. </p>

    ### Sensitive data exposure

    <p>Block API responses that contain personally identifiable information (PII) such as phone numbers, SSNs, email addresses, or credit card numbers. </p>

    <p>You can turn off this policy for specific API endpoints by tagging them as needed. In this case, you'll remain protected against unknown sensitive data leakage, while allowing legitimate known resources to create a response without being interrupted by the WAAP.</p>

    ### Invalid API traffic

    <p>Block API requests that don't conform to a JSON structure. This policy protects your APIs by inspecting the keys and values within the JSON. If they are not properly structured, the request will be blocked. </p>

    ### API-level authorization

    <p>There are three levels of API endpoint authorization: </p>

    * **Admin** : Users who can access any endpoint.

    * **Privileged** : Users who can access privileged access endpoints.

    * **Non-privileged** : Users who will be blocked from all access endpoints that are privileged or admin.

    <p>To ensure only admins and privileged users can access sensitive endpoints, you can create tags that will be applied when the defined header, token, or other identifier is present. You can then use the [API Discovery](/waap/api-discovery-and-protection/api-discovery) feature and create [WAAP rules](/waap/api-discovery-and-protection/configure-api-access-with-reserved-tags) to control API access based on these tags. </p>

    ### Non-baselined API requests

    <p>Enable a positive security policy that blocks requests to endpoints that aren't part of the API baseline—a defined version of your API where all protected endpoints are listed. </p>

    <p>You can also add endpoints to the [API baseline](/waap/api-discovery-and-protection/api-discovery#api-baseline) if you don't want to perform a network or API specification file scan.</p>
  </MethodSection>

  <MethodSection id="api" label="REST API">
    <p>Advanced API Protection policies protect APIs against authentication abuse, malformed requests, unauthorized access, sensitive data exposure, and other API-specific threats. Before enabling these policies, [configure API access with reserved tags](/waap/api-discovery-and-protection/configure-api-access-with-reserved-tags) — without that configuration the policies have no effect. All policies are disabled by default.</p>

    <Info>
      An [API token](/account-settings/api-tokens) is required, along with the ID of a [WAAP-protected domain](/waap/getting-started/configure-waap-for-a-domain) and the [Python](/developer-tools/sdks/python) or [Go](/developer-tools/sdks/go) SDK installed for SDK examples. This policy group is available on the Enterprise WAAP plan only.
    </Info>

    ```bash theme={null}
    export GCORE_API_KEY="{YOUR_API_KEY}"
    export WAAP_DOMAIN_ID="{YOUR_DOMAIN_ID}"
    ```

    ## View policy states

    <p>Retrieve the current mode of all Advanced API Protection policies for a domain.</p>

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        import gcore
        import os

        client = gcore.Gcore(api_key=os.environ["GCORE_API_KEY"])
        domain_id = int(os.environ["WAAP_DOMAIN_ID"])

        rule_sets = client.waap.domains.list_rule_sets(domain_id)
        adv_set = next(
            rs for rs in rule_sets if rs.resource_slug == "advanced-api-protection"
        )

        for policy in adv_set.rules:
            status = "enabled" if policy.mode else "disabled"
            print(f"{policy.name}: {status} ({policy.id})")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        package main

        import (
            "context"
            "fmt"
            "os"
            "strconv"

            gcore "github.com/G-Core/gcore-go"
            "github.com/G-Core/gcore-go/option"
        )

        func main() {
            client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
            domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

            ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
            for _, rs := range *ruleSets {
                if rs.ResourceSlug == "advanced-api-protection" {
                    for _, policy := range rs.Rules {
                        status := "disabled"
                        if policy.Mode {
                            status = "enabled"
                        }
                        fmt.Printf("%s: %s (%s)\n", policy.Name, status, policy.ID)
                    }
                }
            }
        }
        ```
      </Tab>

      <Tab title="curl">
        ```bash theme={null}
        curl -X GET "https://api.gcore.com/waap/v1/domains/${WAAP_DOMAIN_ID}/rule-sets" \
          -H "Authorization: APIKey ${GCORE_API_KEY}" \
          | jq '.[] | select(.resource_slug == "advanced-api-protection") | .rules[] | {name, id, mode}'
        ```
      </Tab>
    </Tabs>

    <p>The response includes each policy in the group with its ID and current state. `mode: true` means enabled; `mode: false` means disabled.</p>

    <Info>
      The API may also return policies that belong to the [Protocol validation](/waap/waap-policies/protocol-validation) policy group. Those policies are part of the same API resource group but are configured separately in the Customer Portal under WAAP > Bot Management.
    </Info>

    ## Toggle a policy

    <p>Switch a policy between enabled and disabled. Each call flips the current mode. Use the policy ID returned by the [View policy states](#view-policy-states) request.</p>

    <Warning>
      This endpoint toggles the current state rather than setting a specific value. If the target state is unknown, check the current policy state first using the View policy states request.
    </Warning>

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        import gcore
        import os

        client = gcore.Gcore(api_key=os.environ["GCORE_API_KEY"])
        domain_id = int(os.environ["WAAP_DOMAIN_ID"])

        # Find the policy ID by name
        rule_sets = client.waap.domains.list_rule_sets(domain_id)
        adv_set = next(
            rs for rs in rule_sets if rs.resource_slug == "advanced-api-protection"
        )
        policy = next(r for r in adv_set.rules if r.name == "Auth token protection")

        result = client.waap.domains.policies.toggle(policy.id, domain_id=domain_id)
        status = "enabled" if result.mode else "disabled"
        print(f"Auth token protection is now {status}")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        package main

        import (
            "context"
            "fmt"
            "os"
            "strconv"

            gcore "github.com/G-Core/gcore-go"
            "github.com/G-Core/gcore-go/option"
            "github.com/G-Core/gcore-go/waap"
        )

        func main() {
            client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
            domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

            // Find the policy ID by name
            ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
            var policyID string
            for _, rs := range *ruleSets {
                if rs.ResourceSlug == "advanced-api-protection" {
                    for _, p := range rs.Rules {
                        if p.Name == "Auth token protection" {
                            policyID = p.ID
                        }
                    }
                }
            }

            result, _ := client.Waap.Domains.Policies.Toggle(context.Background(), policyID, waap.DomainPolicyToggleParams{DomainID: domainID})
            status := "disabled"
            if result.Mode {
                status = "enabled"
            }
            fmt.Printf("Auth token protection is now %s\n", status)
        }
        ```
      </Tab>

      <Tab title="curl">
        ```bash theme={null}
        # Set POLICY_ID to the policy ID from the Policy reference or View policy states response
        export POLICY_ID="{POLICY_ID}"

        curl -X PATCH "https://api.gcore.com/waap/v1/domains/${WAAP_DOMAIN_ID}/policies/${POLICY_ID}/toggle" \
          -H "Authorization: APIKey ${GCORE_API_KEY}"
        ```

        Response:

        ```json theme={null}
        {"mode": true}
        ```
      </Tab>
    </Tabs>

    <p>The API returns the updated policy object. `mode: true` confirms the policy is now enabled; `mode: false` confirms disabled.</p>

    ## Policy reference

    <Accordion title="All Advanced API Protection policies">
      All policies in this group use **Block** as their action — the request is rejected when the policy triggers.

      | Policy                     | Purpose                                                                                                   |
      | -------------------------- | --------------------------------------------------------------------------------------------------------- |
      | Auth token protection      | Blocks users who repeatedly attempt to authenticate with invalid tokens.                                  |
      | Sensitive data exposure    | Blocks API responses containing PII such as phone numbers, SSNs, email addresses, or credit card numbers. |
      | Invalid API traffic        | Blocks API requests that do not conform to a valid JSON structure.                                        |
      | API-level authorization    | Blocks requests to admin or privileged endpoints from users not tagged as admin or privileged.            |
      | Non-baselined API requests | Blocks requests to API endpoints that are not part of the defined API baseline.                           |
    </Accordion>
  </MethodSection>
</MethodSwitch>
