Session identifiers
While not strictly required, it is recommended that you configure your session identifiers when getting started with API Shield. When Cloudflare inspects your API traffic for individual sessions, we can offer more tools for visibility, management, and control.
If you are unsure of the session identifiers that your API uses, consult with your development team.
Session identifiers should uniquely identify API clients. A common session identifier for API traffic is the Authorization header. When a JSON Web Token (JWT) is used by the API for client authentication, its value may change over time. You can use a claim value inside the JWT such as sub or email as a session ID to uniquely identify the session over time.
If your API uses the Authorization header on more than 1% of successful requests to your zone, Cloudflare will automatically set it as the API Shield session identifier.
- 
Log in to the Cloudflare dashboard ↗, and select your account and domain. 
- 
Go to Security > API Shield. 
- 
Select Settings. 
- 
On Endpoint settings, select Manage identifiers. 
- 
Choose the type of session identifier (cookie, HTTP header, or JWT claim). 
- 
Enter the name of the session identifier. 
- 
Select Save. 
- 
Log in to the Cloudflare dashboard ↗, and select your account and domain. 
- 
Go to Security > Settings 
- 
Filter by API abuse. 
- 
On Session identifiers, select Configure session identifiers. 
- 
Select Manage identifiers. 
- 
Choose the type of session identifier (cookie, HTTP header, or JWT claim). 
- 
Enter the name of the session identifier. 
- 
Select Save. 
After setting up session identifiers and allowing some time for Cloudflare to learn your traffic patterns, you can view your per endpoint and per session rate limiting recommendations, as well as enforce per endpoint and per session rate limits by creating new rules. Session identifiers will allow you to view API Discovery results from session ID-based discovery and session traffic patterns in Sequence Analytics.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark