Applications API
The Applications API allows you to manage application definitions and URL filtering rules that control how Shield processes traffic.
Overview
Applications in Shield define:
- Which URLs or domains Shield should scan
- Content types to process (JSON, HTML, XML, etc.)
- HTTP methods to intercept (GET, POST, PUT, etc.)
- Whether to run content type detection
- Whitelist or blacklist behavior
Applications are referenced by Rules to apply detection and obfuscation policies.
Authentication
Requires API Key with:
- Read access: GET operations (all keys)
- Policy Definition permission: POST, PUT, PATCH, DELETE operations
Available Endpoints
The Applications API provides the following endpoints:
Core Operations
- POST /api/apps - Create a new application
- GET /api/apps - List all applications with pagination
- GET /api/apps/:id - Get a specific application by ID
- PUT /api/apps/:id - Update an entire application
- PATCH /api/apps/:id - Partially update an application
- DELETE /api/apps/:id - Delete an application (soft delete)
Supporting Endpoints
- GET /api/appsdeleted - Get all applications including soft-deleted ones
- GET /api/contenttypes - Get list of supported content types
- GET /api/filtertypes - Get available filter type options
Key Concepts
URL Filters
Each application contains one or more URL filters that define which traffic to process:
| Filter Type | Description | Example |
|---|---|---|
| Domain | Match top-level domain | example.com (matches *.example.com) |
| Hostname | Match specific hostname | api.example.com |
| Path | Match URL path | /api/users |
| Regex | Regular expression | ^https://api\..*\.com/v[0-9]+/.*$ |
Whitelist vs Blacklist
- Whitelist (
isWhitelist: true) - Scan only these URLs - Blacklist (
isWhitelist: false) - Scan all traffic except these URLs
Content Type Detection
When runContentTypeDetection is enabled, Shield attempts to identify the content type from the response body if the Content-Type header is missing or incorrect.
Common Use Cases
API Traffic Scanning
Define applications for your API endpoints to ensure sensitive data detection:
{
"name": "Payment APIs",
"urlFilters": [{
"filterType": 1,
"filter": "payment.api.company.com",
"contentType": ["application/json"],
"methods": ["POST", "PUT"]
}]
}
Domain-Wide Scanning
Scan all traffic for a specific domain:
{
"name": "Internal Apps",
"urlFilters": [{
"filterType": 0,
"filter": "company.com",
"isWhitelist": false
}]
}
Excluding Internal Traffic
Create a blacklist to exclude internal testing endpoints:
{
"name": "Exclude Dev Environments",
"urlFilters": [{
"filterType": 1,
"filter": "dev.internal.com",
"isWhitelist": true
}]
}
Best Practices
- Use descriptive names - Name apps by purpose, not technology (e.g., "HR Systems" not "Workday API")
- Group similar URLs - Combine related endpoints into one app (e.g., all payment APIs)
- Be specific with filters - Use hostname filters over domain filters when possible
- Test regex carefully - Invalid regex will cause application to fail matching
- Document filters - Use the
commentfield to explain complex filters
Related Topics
- Create an Application - Learn how to create a new application
- List Applications - Query and filter existing applications
- Filter Types Reference - Detailed filter type documentation
- Rules API - Create rules that reference these applications
- Activities API - Query activity by application ID