Set origin success and failure conditions

When you set up an operation, to capture data on successful and unsuccessful attempts to use the resource, you must define their traits. You can set up success and failure reporting for every operation type except Search and Add to cart. For multistep operations, you can also set up a multistep group success condition and a step success condition. You must define it for at least one operation in the group.

  1. On the API Definitions page, in the Registered APIs section, find the API definition in which you want to create an operation and click its ... Action menu.

  2. From the menu, select Manage versions.

  3. In the Version history panel, select the version you want to edit.

  4. From the list of delivery options on the left, select API Operations.

  5. On the API Operations page, click + to add a new operation.

  6. Enter your operation data. For details, see set up an operation.

  7. In the Origin Response section, click Add to create your conditions in the Success condition and/or Failure condition sections.

    1. In Response Code, select matches or does not match, and enter the code you want to track, like 401.
      You can enter multiple codes.
    2. In Response Header, enter the header name, select matches or does not match, and enter the value you want to track.
      To add another response header, click Add.
    3. In Set-cookie, enter the cookie name and select matches or does not match.
      You can use * and ? wildcards and you can turn the Case-sensitive switch on.
    4. In Response Body BETA, select JSON or XML, enter the path in XPath format, select between exists, does not exist, matches, does not match, and enter the value you want to track.


    XPath format examples

    • Supported for JSON and XML:


    • Supported for XML:



    • Not supported for JSON:



The following images show the examples of correctly defined response body type success and failure conditions:

In the first example, wildcards are used to find the “true” value in a string:

In the second example, selecting the case-sensitive option ensures that only values in the upper case match the criteria:


If you define:

  • Only failure conditions, then any other activity on the endpoints is treated as success.
  • Only success, then any other activity is a failure.
  • Both failure and success, then any other activity is labeled as unknown.
  • No conditions, then all activity on the endpoints is labeled as unknown.
  • Multiple values of the same condition (for example, response code = 200, 201), then the success or failure condition is met if any of these values apply.
  • Multiple conditions (response code = 200, response header = X-LoginSuccess:true), then the success or failure condition is met only if all of these conditions apply.

Unknown is a label applied in a scenario where bot management detections are bypassed, like when you set an exception, or when the request is denied, allowed, or ignored by an earlier protection and account protection doesn't run.

After you set the conditions, the successes, failures, and unknown activity appear in the Bot Endpoint Protection report, Account Protector User Intelligence Console, and Web Security Analytics.