<api-rules_name>

Type a unique name for the API gateway rule.

verification-mode {disable | api-key-verification | jwks-endpoint | jwt-public-key | jwt-token-secret}

Select the JWT verification method:

• disable — disable JWT verification.

• api-key-verification — When a user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

• jwks-endpoint — Used when the issuing system signs tokens using an HMAC algorithm (such as HS256 or HS512). FortiWeb validates the incoming JWT by applying the configured shared secret during signature verification.

• jwt-public-key — Used when tokens are signed using asymmetric algorithms (such as RS256 or ES256). FortiWeb verifies signatures using a user-provided public key.

• jwt-token-secret — Enables FortiWeb to retrieve signing keys dynamically from an external JWKS (JSON Web Key Set) endpoint. This is commonly used with modern IdPs such as Azure AD, Okta, Ping, or Keycloak.

allow-user-group <allow-user-group_str>

Select a user group created to define which users have the persmission to access the API.

Available only when verification-mode is api-key-verification.

api-key-location {HTTP-parameter | HTTP-header}

Indicate where FortiWeb can find your API key in HTTP request:

• HTTP-parameter
• HTTP-header

header-field-name <header-field-name_str>

Enter the header filed name in which FortiWeb can find the API key when api-key-location is HTTP-header.

parameter-name <parameter-name_str>

Enter the parameter name in which FortiWeb can find the API key when api-key-location is HTTP-parameter.

rate-limit-period <rate-limit-period_int>

Type the maximum number of API call requests allowed in a certain number of seconds.

rate-limit-requests <rate-limit-requests_int>

Type the maximum number of API call requests allowed in a certain number of seconds.

rate-limit-user-period <rate-limit-user-period_int>

Limit API requests by users.

Type the maximum number of API call requests allowed per user in a certain number of seconds.

rate-limit-user-requests <rate-limit-user-requests_int>

Type the maximum number of API call requests allowed per user in a certain number of seconds.

jwt-token-secret <string>

The shared secret used to verify HMAC-signed JWTs. FortiWeb applies this value to validate token integrity.

Available only when the verification-mode is jwt-token-secret.

jwt-public-key <string>

A PEM-encoded public key used to verify the JWT signature. Appropriate for RS*, ES*, or PS* algorithms.

Available only when the verification-mode is jwt-public-key.

jwks-endpoint <string>

URL of the IdP’s JWKS endpoint. FortiWeb periodically retrieves keys from this endpoint to validate token signatures.

Available only when the verification-mode is jwks-endpoint.

x-ratelimit-headers {enable | disable}

Enable to add X-RateLimit-* headers in the response packet if the user exceeds the rate limit. The following information can be displayed to users: the request limit, the remaining requests, and the minimum time to wait before the user is allowed to send the next request.

action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects any API call violation:

• alert—Accept the connection and generate an alert email and/or log message.
• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
• deny_no_log—Block the request (or reset the connection).
• block-period—Block subsequent requests from the client for a number of seconds. Also configure waf api-rules.

block-period <block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects any API call violation. The valid range is 1–10,000 seconds.

Available only if waf api-rules is set to block-period.

severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs any API call violation:

• Informative
• Low
• Medium
• High

trigger-policy <trigger-policy_str>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about any API call violation. For details, see "Viewing log messages" on page 1.

host <host_str>

Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule.

This option is available only if waf api-rules is enable.

host-status {enable | disable}

Enable to apply this rule only to HTTP requests for specific web hosts. Also configure waf api-rules.

<attach-HTTP-header_id>

Enter the sequence number of the HTTP header.

HTTP-header-item <HTTP-header-item_str>

Enter the HTTP header item.

<match-url-prefixes_id>

The sequence number of the match URL prefixes.

frontend-prefix <frontend-prefix_str>

Enter the Frontend Prefix; the frontend prefix is the URL path in a client call, for example, /fortiweb/, the URL is like this https://172.22.14.244/ fortiweb/example.json?param=value.

backend-prefix <backend-prefix_str>

Enter the Backend Prefix; the backend prefix is the path which the client request will be replaced with, for example, /api/v1.0/System/Status/.

After the URL rewriting, the URL is like this https://10.200.3.183:90/api/

v1.0/System/Status/example.json?param=value.

<sub-url-setting_id>

Enter the sequence number of the sub-URL.

HTTP-method {get | post | head | options | trace | connect | delete | put | patch | any}

Select the HTTP method from the drop down list.

type {plain | regular}

Select whether the url-expression <url-expression_str> field must contain either:

• plain —The field is a string that the request URL must exactly.
• regular—The field is a regular expression that defines a set of matching URLs.

url-expression <url-expression_str>

Depending on your selection in type {plain | regular}, enter either:

• The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
• A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.cfm.

verification-mode {disable | api-key-verification | jwks-endpoint | jwt-public-key | jwt-token-secret}

Select the JWT verification method:

• disable — disable JWT verification.

• api-key-verification — When a user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

• jwks-endpoint — Used when the issuing system signs tokens using an HMAC algorithm (such as HS256 or HS512). FortiWeb validates the incoming JWT by applying the configured shared secret during signature verification.

• jwt-public-key — Used when tokens are signed using asymmetric algorithms (such as RS256 or ES256). FortiWeb verifies signatures using a user-provided public key.

• jwt-token-secret — Enables FortiWeb to retrieve signing keys dynamically from an external JWKS (JSON Web Key Set) endpoint. This is commonly used with modern IdPs such as Azure AD, Okta, Ping, or Keycloak.

api-key-location {HTTP-parameter | HTTP-header}

Indicate where FortiWeb can find your API key in HTTP request:

• HTTP-parameter
• HTTP-header

Available only when api-key-verification is verification-mode.

header-field-name <header-field-name_str>

Enter the header filed name in which FortiWeb can find the API key when api-key-location is HTTP-header.

parameter-name <parameter-name_str>

Enter the parameter name in which FortiWeb can find the API key when api-key-location is HTTP-parameter.

rate-limit-period <rate-limit-period_int>

Type the maximum number of API call requests allowed in a certain number of seconds.

rate-limit-requests <rate-limit-requests_int>

Type the maximum number of API call requests allowed in a certain number of seconds.

rate-limit-user-period <rate-limit-user-period_int>

Limit API requests by users.

Type the maximum number of API call requests allowed per user in a certain number of seconds.

rate-limit-user-requests <rate-limit-user-requests_int>

Type the maximum number of API call requests allowed per user in a certain number of seconds.

allow-user-group <allow-user-group_name>

Select a user group created to define which users have the persmission to access the API.

Available only when api-key-verification is verification-mode.

api-key-inherit {enable | disable}

When an user makes an API request, the API key will be included in HTTP header or parameter of sub URL, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to a valid API user.

jwt-token-secret <string>

The shared secret used to verify HMAC-signed JWTs. FortiWeb applies this value to validate token integrity.

Available only when the verification-mode is jwt-token-secret.

jwt-public-key <string>

A PEM-encoded public key used to verify the JWT signature. Appropriate for RS*, ES*, or PS* algorithms.

Available only when the verification-mode is jwt-public-key.