API Version 2.1

Developer Documentation

Build upon Securiawall's enterprise perimeter. Manage zones as a reseller, push custom WAF rules via CI/CD, fetch analytics for customized dashboards, or connect directly via BGP GRE Tunnels.

Introduction#

The Securiawall API empowers you to manage your security posture programmatically. Integrate infrastructure management directly into your own applications without ever logging into our panel.

Global Endpoint

All API requests must be transmitted securely over HTTPS to https://api.securiawall.com/v1

Authentication & Rate Limits#

Securiawall utilizes OAuth 2.0 and API Tokens for request authentication. You can generate granular-scoped API tokens from the Developer Settings in your master dashboard.

Bearer Token Auth

Authenticate by providing your generated API Token in the Authorization header. Never expose this key in client-side applications.

Requests without valid authentication will return 401 Unauthorized.

Standard Header

bash

Authorization: Bearer sk_live_8F...

Rate Limiting

To ensure platform stability, the API restricts the number of requests per account. Standard accounts are permitted 1200 requests per 5 minutes. If you exceed this, you will receive a 429 Too Many Requests response. Enterprise customers have dedicated rate allocations.

B2B & PARTNERS

Reseller API (Zone Provisioning)

Hosting providers and agencies can programmatically provision domains, inject DNS records, and configure baseline security layers for their own customers silently in the background.

Complete Zone Creation

Create a domain, turn on the WAF, and set the DNS record all in a single API call.

POST/zones/provision_full

cURL Example

bash

curl -X POST "https://api.securiawall.com/v1/zones/provision_full" \
     -H "Authorization: Bearer YOUR_API_KEY" \
     -H "Content-Type: application/json" \
     --data '{
       "name": "client-site.com",
       "settings": {
         "waf": "on",
         "security_level": "high",
         "ssl": "strict"
       },
       "dns_records": [
         {
           "type": "A",
           "name": "@",
           "content": "104.22.45.1",
           "proxied": true
         }
       ]
     }'

DASHBOARD INTEGRATION

Fetching Panel Analytics

Provide immense value to your own end-users by embedding Securiawall's attack statistics directly into your own custom billing panel or software (like WHMCS).

Query Traffic Metrics

Retrieve time-series data for passed vs. dropped traffic for graphing (e.g. for Chart.js or ECharts).

GET/zones/{zone_id}/analytics/timeseries

Node.js Example (Fetch)

javascript

async function fetchTrafficData(zoneId, apiKey) {
  const url = `https://api.securiawall.com/v1/zones/${zoneId}/analytics/timeseries?range=24h`;
  
  const response = await fetch(url, {
    method: 'GET',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
      'Content-Type': 'application/json'
    }
  });

  if (!response.ok) throw new Error('Failed to fetch analytics');
  
  const payload = await response.json();
  
  // payload.data.requests -> { timestamp: [...], clean: [...], dropped: [...] }
  return payload.data;
}

Expected JSON Response

json

{
  "success": true,
  "data": {
    "timestamps": ["2026-04-05T08:00:00Z", "2026-04-05T08:05:00Z"],
    "clean_traffic_bps": [450000000, 480000000],
    "dropped_traffic_bps": [0, 12500000000],
    "total_threats_blocked": 45
  }
}

Query Threat Logs (WAF & DDoS)

Fetch a list of recent L7 attacks, including attacking IPs, countries, and rule triggers.

GET/zones/{zone_id}/security/events

Python Example (Requests)

python

import requests

def get_threat_logs(zone_id, token):
    headers = {
        "Authorization": f"Bearer {token}",
        "Accept": "application/json"
    }
    
    # Fetch the last 50 attack events
    params = {"limit": 50, "eventType": "ddos,waf"}
    
    url = f"https://api.securiawall.com/v1/zones/{zone_id}/security/events"
    res = requests.get(url, headers=headers, params=params)
    
    return res.json()

EDGE LOGIC

Custom WAF Rules Engine

Corporate firms can enforce their own custom firewall logic directly at the Securiawall Edge. Deploy tailored rules via CI/CD to block specific ASNs, force Captchas on suspicious User-Agents, or rate limit specific URIs.

Deploy a Firewall Rule

This snippet demonstrates creating a rule that forces a Managed Challenge (Captcha) for any traffic coming from two specific ASNs targeting the /login path.

POST/zones/{zone_id}/firewall/rules

JSON Request Body

json

{
  "action": "challenge",
  "description": "Force challenge for suspicious Datacenter ASNs on login path",
  "filter": {
    "expression": "(ip.asn in {12345 54321}) and (http.request.uri.path contains "/login")"
  },
  "priority": 10
}

INFRASTRUCTURE & NETWORK

Configuring GRE Tunnels

For Enterprise BGP protection or direct volumetric network scrubbing, Securiawall establishes a GRE (Generic Routing Encapsulation) tunnel between our scrubbing centers and your edge router. Traffic is cleaned at our edge, and only safe traffic is tunneled directly to your AS.

Prerequisites

You must be assigned a Tunnel IP /31 range and a Securiawall Scrubbing Center Public IP from your technical account manager before proceeding.

1. Linux (iproute2)

If your edge termination point is a Linux server running FRR or Quagga, configure the GRE interface using standard ip commands.

Linux Tunnel Setup (Example)

bash

# Variables Provided by Securiawall
LOCAL_SRC_IP="198.51.100.10"       # Your Router's Public IP
REMOTE_SRC_IP="203.0.113.5"        # Securiawall's Edge IP
TUNNEL_LOCAL_IP="10.254.0.2"       # Your /31 assigned IP
TUNNEL_REMOTE_IP="10.254.0.1"      # Securiawall's /31 assigned IP

# 1. Create the GRE Tunnel interface 'securiawall-gre'
ip tunnel add securiawall-gre mode gre local $LOCAL_SRC_IP remote $REMOTE_SRC_IP ttl 255

# 2. Assign the internal /31 IP addresses
ip addr add $TUNNEL_LOCAL_IP/31 dev securiawall-gre

# 3. Bring the link up
ip link set securiawall-gre up

# 4. Route traffic returning to the internet back through the tunnel
ip route add default via $TUNNEL_REMOTE_IP table 100
ip rule add from $TUNNEL_LOCAL_IP table 100

2. MikroTik RouterOS

Configuring the GRE interface on a MikroTik CCR or standard RouterOS device.

MikroTik RouterOS

routeros

/interface gre
add local-address=198.51.100.10 name=securiawall-gre remote-address=203.0.113.5

/ip address
add address=10.254.0.2/31 interface=securiawall-gre network=10.254.0.1

# Ensure BGP configuration routes traffic symmetrically if requested.

Handling MTU & TCP MSS

GRE adds a 24-byte overhead. To prevent painful packet fragmentation or dropped SSH/HTTPS connections, you **must** clamp the TCP MSS (Maximum Segment Size) to 1436.

Linux iptables TCP MSS Clamping

bash

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
  -o securiawall-gre -j TCPMSS --set-mss 1436

BIG DATA

Enterprise Alerting & SIEM Integration

Instead of constantly polling the API, register an endpoint to have Securiawall actively push logs and alerts to your Security Operations Center (SOC).

Log Streaming API (Datadog/S3/ELK)

Enterprise customers can create a Logpush job to stream HTTP/WAF event logs directly to an AWS S3 Bucket or a Datadog intake URL in real-time.

POST/zones/{zone_id}/logpush/jobs

Push Logs to AWS S3

json

{
  "destination_conf": "s3://securiawall-logs-bucket?region=eu-central-1",
  "logpull_options": "fields=ClientIP,EdgeResponseStatus,WafAction",
  "dataset": "http_requests",
  "enabled": true
}

Attack Webhooks

Receive immediate POST payloads when a volumetric Layer 4 anomaly is detected and mitigated.

Example POST Payload (attack.started)

json

{
  "event_id": "evt_9x8f0a8sbv",
  "type": "attack.started",
  "created_at": "2026-04-05T08:14:32Z",
  "data": {
    "zone_id": "023e105f4ecef8ad9ca31a8372d0c353",
    "vector": "UDP_AMPLIFICATION_DNS",
    "peak_bandwidth_bps": 41200000000,
    "peak_packets_ps": 8500000,
    "mitigation_status": "ACTIVE_SCRUBBING"
  }
}