1. Home
2. Reference documentation
3. Changelog
4. 2025
5. April 2025

We're updating our Next-Gen WAF API routes from /security/* to /ngwaf/v1/* as part of a broader effort to introduce versioning and improve consistency across our security products. The new endpoints are available now, and legacy /security routes will remain operational until April 22, 2026, when they will be permanently removed. Until that date, both routes are fully supported.

Before the removal date, you'll need to replace the /security base path with /ngwaf/v1 in all endpoint URLs you use. For example:

// Before
const endpoint = "https://api.example.com/security/workspaces";

// After
const endpoint = "https://api.example.com/ngwaf/v1/workspaces";

All request and response schemas, authentication, and behavior remain the same—no additional changes are required. Legacy endpoints return a Sunset response header to remind you of the deprecation timeline.