--- title: Using an API with the Next-Gen WAF summary: null url: >- https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf --- You can interact with the Next-Gen WAF using one of the following APIs: | API | Who should use it | | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------- | | [Next-Gen WAF API](https://www.fastly.com/documentation/signalsciences/api/) | Use this API if have access to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). | | [Fastly Next-Gen WAF API](https://www.fastly.com/documentation/reference/api/ngwaf/) | Use this API if you have access to the Next-Gen WAF in the [Fastly control panel](https://manage.fastly.com). | ### Next-Gen WAF API ## Using the Next-Gen WAF API If you have access to the Next-Gen WAF control panel, you can use the [Next-Gen WAF API](https://www.fastly.com/documentation/signalsciences/api/) to interact with the Next-Gen WAF. > **HINT:** We offer a [Terraform provider](https://registry.terraform.io/providers/signalsciences/sigsci/latest). ### About API access tokens Anyone with the appropriate permissions can connect to the API by creating and using personal API access tokens. Authenticate against our API using your email and access token. Selecting **API Access Tokens** from the Corp Manage menu displays the API Access Tokens page. From the API Access Tokens page, you can view a table that lists all tokens in your corp and use a search bar to filter the table by token creator and name. The table contains these columns: - **Created by:** the name of the creator of the token. - **Token Name:** the friendly name of the token. - **Logged IP:** the IP address of the request. - **User Agent:** the user agent of the request. - **Timestamp:** the date the token was used. - **Status:** the status of the token. - **Expires:** the date the token expires. By default, everyone has the ability to create and use API access tokens. However, [owners](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/using-user-roles-and-permissions/) can choose to restrict API Access Token creation and usage to specific people. All plans allow you to create up to 5 access tokens per person. ### Managing API access tokens Follow these steps when managing API access tokens. #### Creating API access tokens 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **My Profile** menu, select **API access tokens**. 3. Click **Add API access token**. 4. In the **Token name** field, enter a name to identify the access token. > **WARNING:** Don't use special characters (e.g., `-`, `@`, `!`, or `%`) in token names. These often result in a `400 Bad Request` [HTTP status code error](https://www.fastly.com/documentation/reference/http/http-statuses/) being sent. 5. Click **Create API access token**. 6. Record the token in a secure location for your use. > **IMPORTANT:** This is the only time the token will be visible. Record the token and keep it secure. For your security, it will not appear in the control panel. 7. Click **Continue** to finish creating the token. #### Restricting permission to create and use API access tokens [Owners](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/using-user-roles-and-permissions/) can restrict the creation and use of API access tokens. After doing so, Owners can then manually grant a specific person permission to create and use API access tokens. API access tokens that were created before restrictions were activated will not be deleted. However, the users with existing tokens will need to be given permission to use API access tokens. Until a user is again granted permission to use API access tokens, the token will remain in a disabled state. After a user has been granted permission, the control panel will remember that permission moving forward. Owners can enable API Access Token restrictions by following these steps: 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **Corp Manage** menu, select **User Authentication**. 3. Navigate to the **API access tokens** section. 4. In the **Access token permissions** field, select the **Restrict access by user** option. A message will be displayed warning you about this setting and its restrictions. 5. Click **Continue** to proceed. 6. Click **Update API access tokens** to save this change. ### Granting permission to create and use API access tokens When API access token creation and usage is [restricted](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf#restricting-permission-to-create-and-use-api-access-tokens), only [owners](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/using-user-roles-and-permissions/) can enable other users to create API access tokens. > **IMPORTANT:** After restricting API Access Token usage, [Owners](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/using-user-roles-and-permissions/) will also need to grant themselves permission to create and use API access tokens. 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **Corp Manage** menu, select **Corp Users**. 3. Click on the user you want to grant permission to. 4. Click **Edit corp user**. 5. Under the **Authentication** section, select the **Allow this user to create API access tokens** checkbox. 6. Click **Update user**. #### Deleting API access tokens 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **My Profile** menu, select **API access tokens**. 3. Click **Delete** to the right of the token you want to delete. 4. Click **Delete** to confirm you want to delete the token. #### Viewing Personal API Tokens [Owners](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/using-user-roles-and-permissions/) can view a table of all access tokens across your corp by going to the **Corp Manage** menu and selecting **API access tokens**. This table shows the various statuses of each token (active, expired, disabled by owner), their creators, IPs they were used by, and expiration dates. ### Managing Corporation-Wide API Access Token Settings Follow these steps when managing corporation-wide API access token settings. #### Setting Automatic Token Expirations [Owners](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/using-user-roles-and-permissions/) can set API access tokens to automatically expire after a set period of time. 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **Corp Manage** menu, select **User Authentication**. 3. Navigate to the **API access tokens** section. 4. In the **Access token expiration**, select the **Custom expiration** option. 5. Select one of the default periods of time, or select **Custom** to set a specific custom period of time. The expiration is based on the creation date of the token itself, not from the start of the expiration policy. For example if there's a 60-day-old token and you set a 30-day expiration policy, the token will instantly be expired. But if you later switch the expiration to 90 days, the token will be un-expired. 6. Click **Update API access tokens**. #### Restricting API Access Token Usage by IP [Owners](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/using-user-roles-and-permissions/) can restrict the use of API access tokens to specific IP addresses. 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **Corp Manage** menu, select **User Authentication**. 3. Navigate to the **API access tokens** section. 4. In the **Restrict usage by IP (optional)** field, enter the IP addresses and IP ranges you want to limit token usage to. Enter each IP address on a new line. 5. Click **Update API access tokens**. ### Using Personal API access tokens #### Golang ```go package main import ( "encoding/json" "fmt" "io/ioutil" "log" "net/http" "os" "time" ) var ( // Defines the API endpoint endpoint = "https://dashboard.signalsciences.net/api/v0" email = os.Getenv("SIGSCI_EMAIL") token = os.Getenv("SIGSCI_TOKEN") ) // Corp is a Signal Sciences corp (also known as account) type Corp struct { Name string DisplayName string SmallIconURI string Created time.Time SiteLimit int Sites struct { URI string } AuthType string MFAEncorced bool } // CorpResponse is the response from the Signal Sciences API // containing the corp (account) data. type CorpResponse struct { Data []Corp } func main() { // No need for timestamps or anything log.SetFlags(0) // Get corps req, err := http.NewRequest("GET", endpoint+"/corps", nil) if err != nil { log.Fatal(err) } // Set headers req.Header.Set("x-api-user", email) req.Header.Set("x-api-token", token) req.Header.Set("Content-Type", "application/json") req.Header.Add("User-Agent", "SigSci Go-Example") // Make request var transport http.RoundTripper = &http.Transport{} response, err := transport.RoundTrip(req) if err != nil { log.Fatal(fmt.Sprintf("Error connecting to API: %v", err)) } defer response.Body.Close() payload, err := ioutil.ReadAll(response.Body) if err != nil { log.Fatal(fmt.Sprintf("Unable to read API response: %v", err)) } if response.StatusCode != http.StatusOK { log.Fatal(fmt.Sprintf("API request failed, status: %d, resp: %s", response.StatusCode, payload)) } var corpResp CorpResponse err = json.Unmarshal(payload, &corpResp) if err != nil { log.Fatal(err) } // Print out corp (account) data fmt.Printf("%+v\n", corpResp.Data) } ``` #### Python ```python import requests, os # Initial setup endpoint = 'https://dashboard.signalsciences.net/api/v0' email = os.environ.get('SIGSCI_EMAIL') token = os.environ.get('SIGSCI_TOKEN') # Fetch list of corps (accounts) headers = { 'Content-type': 'application/json', 'x-api-user': email, 'x-api-token': token } corps = requests.get(endpoint + '/corps', headers=headers) print (corps.text) ``` #### Ruby ```ruby require 'net/http' require 'json' # Initial setup endpoint = "https://dashboard.signalsciences.net/api/v0" email = ENV['SIGSCI_EMAIL'] token = ENV['SIGSCI_TOKEN'] # Fetch list of corps (accounts) corps_uri = URI(endpoint + "/corps") http = Net::HTTP.new(corps_uri.host, corps_uri.port) http.use_ssl = true request = Net::HTTP::Get.new(corps_uri.request_uri) request["x-api-user"] = email request["x-api-token"] = token request["Content-Type"] = "application/json" response = http.request(request) puts response.body ``` #### Shell ```term copy $ curl -H "x-api-user:$SIGSCI_EMAIL" -H "x-api-token:$ACCESS_TOKEN" -H "Content-Type: application/json" https://dashboard.signalsciences.net/api/v0/corps ``` ### Fastly Next-Gen WAF API ## Using the Fastly Next-Gen WAF API If you have access to the Next-Gen WAF in the Fastly control panel, you can use the [Fastly Next-Gen WAF API](https://www.fastly.com/documentation/reference/api/ngwaf/) to interact with the Next-Gen WAF. Most of the endpoints require authentication with a properly scoped API token, which you can create using the [Fastly API](https://www.fastly.com/documentation/reference/api/auth-tokens) or the [Fastly control panel](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/using-api-tokens/). > **IMPORTANT:** Automation tokens do not trigger or apply to Next-Gen WAF features and scopes and cannot be used as API tokens. You can also deploy the Next-Gen WAF with Terraform. Check out [our Terraform](https://www.fastly.com/documentation/guides/integrations/non-fastly-services/developer-guide-terraform/) guide for more information. ## Related content - [Testing with attack tooling](https://branch-doc-11440-address-ngwaf-api-confusion.developer.fastly.com/documentation/guides/next-gen-waf/developer/testing-with-attack-tooling/)