API Overview

We're happy to help you build whatever functionality you need with the API.

Please don't hesitate to :

We're a team of developers and sysadmins who can troubleshoot and debug whatever API interactions you need to create.


Your API key can be found on the API Access page accessed from the side navigation menu after logging into your WAF dashboard.

  • Each API Key is specific to a single WAF instance
  • The API Key is required for all API endpoints

General API Usage


API endpoints are "RESTish" in that:

  1. Endpoints are organized around objects and their representation
  2. Different HTTP verbs applied to the same API endpoint have different effects
  3. Requests are standard HTTP parameters (not full objects)
  4. All endpoints are referenced to https://api.expeditedsecurity.com

All API endpoints require that the API key be passed in a URL/Form parameter named 'api_key'.


API responses are always returned as JSON objects.

Successful Responses

Successfully calling an API endpoint will:

  • Return a HTTP Status code of 200
  • Have a 'success' value of true
  • Have a 'domain' value corresponding to the WAF instance associated with the API key (useful for differentiating staging from production applications)
  • May have an additional 'message' value with more information on the request

GET /api/origins?api_key=example-api-key

HTTP 200 - application/json
	domain: "example.com",
	success: true,
	origin: "example-app.herokuapp.com"

Failed Responses

Requests may fail for a variety of reasons, most often that:

  1. The API Key was not included as an 'api_key' parameter
  2. A required parameter is missing
  3. The wrong HTTP verb was used than intended
Bad API Key Example

GET /api/origins?api_key=BAD-API-KEY

HTTP 403 - application/json
	success: false,
	message: "Bad API Key Value" 
Missing API Key Example

GET /api/origins

HTTP 403 - application/json
	success: false,
	message: "Missing parameter api_key"

Available API Endpoints

Origins - add and remove origin hosts

Cache - invalidate cached file paths

Blacklist IP - block an IP from requesting your site

Whitelist IP - allow an IP to bypass security rules for your site

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.