You can create whitelists and blacklists for the endpoints of the IBM MobileFirst™ Platform Server.
| API URL under <runtime context root>/api/ | Description | Suggested for whitelist? |
|---|---|---|
| /adapterdoc/* | Return the adapter's Swagger documentation for the named adapter | No. Used only internally by the administrator and the developers |
| /adapters/* | Adapters serving | Yes |
| /az/v1/authorization/* | Authorize the client to access a specific scope | Yes |
| /az/v1/introspection | Introspect the client's access token | No. This API is for confidential clients only. |
| /az/v1/token | Generate an access token for the client | Yes |
| /clientLogProfile/* | Get client log profile | Yes |
| /directupdate/* | Get Direct Update .zip file | Yes, if you plan to use Direct Update |
| /loguploader | Upload client logs to server | Yes |
| /preauth/v1/heartbeat | Accept heartbeat from the client and note the last activity time | Yes |
| /preauth/v1/logout | Log out from a security check | Yes |
| /preauth/v1/preauthorize | Map and execute security checks for a specific scope | Yes |
| /reach | The server is reachable | No, for internal use only |
| /registration/v1/clients/* | Registration-service clients API | No. This API is for confidential clients only. |
| /registration/v1/self/* | Registration-service client self-registration API | Yes |
| API URL under <admin context root> | Description | Suggested for whitelist? |
|---|---|---|
| /management-apis/2.0/* | All the REST APIs of MobileFirst administration service. | Yes. If the client accessing the API
is not behind the firewall where the MobileFirst Server is
running. No. If the client that accesses the API and the MobileFirst Server are both running behind the firewall. |