Skip to main content
AndyPetersonCFUGMgr
AndyPetersonCFUGMgr
Participating Frequently
January 23, 2026
Question

Restricting API usage with the API Manager

  • January 23, 2026
  • 1 reply
  • 118 views

Hello. Let's say that I have an API running at https://api.mysite.com/rest/api/customerID/12345 which is available to anyone with the link. Joe User can go to that site right now and pull that payload, but now, I want to lock it down through the API Manager. 

 

I have everything set up in the API Manager (Server discovery, REST API import, REST Playground Config, Publisher/Subscriber setup,  Authentication (using apiKey), SLA Creation, Rate Limiting, and so on, in order to manage these requests. Everything looks good.

 

I think my question is simple: What's to stop Joe User, or even Joe Subscriber, from circumventing the apikey requirement and hammer away at my api with impunity? Does one pass through the API Key with each request, or how does it work? How do I prevent casual usage of visitors continuing to hit my API by just going to https://api.mysite.com/rest/api/customerID/12345? Brian Sappey's webinar series has made API creation and management a breeze, but I'm stuck on this point.

 

Thank you in advance for your assistance!

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    January 25, 2026

     

    I think my question is simple: What's to stop Joe User, or even Joe Subscriber, from circumventing the apikey requirement and hammer away at my api with impunity?


    By @AndyPetersonCFUGMgr


    That is an important question. It is at the core of API architecture and security.

     

    In short, the answer is: nothing will stop Joe User, or even Joe Subscriber, from circumventing the API Key requirement and hammering away at your API. That is because the API Manager does not magically protect an endpoint that is still publicly reachable. The API Manager is a gatekeeper, but a gatekeeper only makes sense if you lock the back door.

    The solution? Separation-of-concerns (SoC). 

     

    By SoC I mean, use 2 separate layers:

    • an API Gateway (with public access), and
    • an API Backend (with private access restricted to the Gateway).

    BKBK_0-1769366923581.png

    This is a so-called Proxy Architecture. It entails moving, hiding, or blocking direct access to the original API endpoints.

     

    Ensure that the Gateway (that is, the API Manager):

    • has a URI distinct from that of the Backend. For example, 
      https://gateway.mysite.com/rest/api/v1/customers/12345
    • is the only public entry point.
    • authenticates the user and sets up everything required for the API request
      (by requiring an API Key - usually the x-api-key header, inspecting the key, checking the SLA, tracking rate limits, and so on).
    • rejects a request with no key or with an invalid key.
    • acts as a proxy for every authenticated user (passing the request through to the Backend, on behalf of the user, and receiving the response).

     

    The Backend:

    • is where your API code actually lives.
    • has a URI distinct from that of the Gateway. This is the "back door". For example,
      https://api.mysite.com/rest/api/v1/customers/12345​
    • only accepts and processes requests received exclusively from the Gateway.

     

    Some caveats, the sources of common mistakes. Note that the Gateway / API Manager does not have responsibility for:

    • rewriting any DNS automatically.
    • blocking direct access to the Backend.
    • injecting authentication information into a publicly accessible endpoint at the Backend.

     

    To prevent Joe User from circumventing the API Manager, you must ensure that your Backend server only accepts requests coming from the API Manager. There are three common ways to do this:

    1.  IP Whitelisting (using a Firewall).
      Configure your web server (IIS, Apache, or Nginx) or your Cloud Firewall to reject any traffic to api.mysite.com unless it originates from the IP address of the Gateway.
    2.  Shared Secret Header (using a hidden key).
      Configure the API Manager to inject a "secret" header into every request it passes to the Backend (for examplr, X-Internal-Secret: some-long-GUID). Then, in your ColdFusion code (or via a servlet filter), check for the existence of that header.
    3.  Private Networking (the Virtual Private Cloud - or VPC - method).
      In a cloud environment, place your API Backend in a Private Subnet with no public IP address. The API Manager sits in a Public Subnet. The only way to reach the Backend is through the API Manager over the internal network.
      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      January 25, 2026

      If this answer was from anyone else I'd wonder if it was Ai-generated.  🙂 So in Andy's situation, it seems his cf app is the "backend" in your scenario with the api manager as the "gateway". As such, it would indeed seem that the api manager would have responsibility for the "separated concern" he's raised.

       

      Your elaboration seems to mostly focus on a design ensuring that the backend can't be accessed directly but only via the gateway, and fair enough.  But he didn't say it was being circumvented.

      Instead he seemed to indicate that the api manager was NOT doing the rate limiting/throttling despite his having configured it.

       

      So Andy, first, are you saying it was failing to do that job, from some testing? Of what sort? And the requests WERE going through ONLY the gateway? And you'd configured it as discussed starting here in the docs? And there was nothing in the api manager logs reflecting a problem with that configuration? 

       

      If it's failing to do the job, I'd think you'd want to reach out to Adobe support (cfsup@adobe.com), as they may not answer here. Same with Brian: I'd think he'd be very interested in the question. I'm pretty sure he usually offers his email in the resources where he presents/writes. Had you found that, and had you tried to reach him? 

       

      I've not worked with the api manager for quite some time so didn't want to offer an answer when I saw your question initially. I hoped others would indeed chime in. Given this one answer, though, I felt it may help to share at least another perspective. BKBK will sort me out if I've erred, or anyone can of course. 

      /Charlie (troubleshooter, carehart. org)
        BKBK
        Community Expert
        BKBKCommunity Expert
        Community Expert
        January 26, 2026
        quote

        If this answer was from anyone else I'd wonder if it was Ai-generated.  🙂


        By @Charlie Arehart

        I think I have a sense of humour, and can laugh at myself and let my hair down. Well, not literally, as I am bald. 

        But I find your joke more disrespectful than funny, as this is the umpteenth time that you have alluded to my post being generated by AI.

        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices