Set up operations (formerly called resource purpose)

If you use Bot Manager Premier or Account Protector, you come to the API Definitions app to register the transactional page, like login or checkout, you want to protect. To do so—even if that page isn't technically an API—you define an API (to share the page's path and other details) and create an operation (formerly called resource purpose).

  1. On the API Definitions page, in the Registered APIs section, find the API definition in which you want to create an operation and click its ... Action menu.

  2. From the menu, select Manage versions.

  3. In the Version history panel, select the version you want to edit.

  4. From the list of delivery options on the left, select API Operations.

  5. On the API Operations page, click + to add a new operation.

  6. Enter the Name of the operation.
    If you only specify one operation for a resource, it’s best to use the same name for the operation as you did for the resource. This helps you easily identify it in your security configuration. If you specify multiple operations of a resource (for example, two different operations for GET and POST), use the name of the resource in combination with the method. For example: post-book.

  7. Select the associated API resource.

  8. From the Method menu, select the HTTP method used in combination with the resource.

  9. Click Operation Purpose and select the task your transactional page serves.
    If you can’t find the exact task on the list, select the most similar option.

  10. If you selected the Login, under the Username parameter menu, select the login parameter you defined in the API resource panel.

  11. If you use Account Protector, you can tell it where to find the unique ID you use to track your end-users. This is called Origin User ID BETA In the Origin User ID section, select the location of your unique ID:

    • Response Header then enter the name of the header.
    • Set-cookie Currently under development. To use Set-cookie, contact your account team.


    If you want to share origin user ID from your mobile app token, it must be a long-lived token that remains constant through multiple logins and is valid for a month or longer. When you set up your origin user id, specify only the field containing the token. Also, have your origin send the origin user ID in the response to the login request.

  12. To capture data on successful and unsuccessful attempts to use the resource, in the Origin Response section, define their traits.
    You need to configure origin response for transactional endpoints if you use Account Protector. For Bot Manager Premier this step is optional.
    You can set up success and failure reporting for every operation type except Search and Add to cart.
    click Add to create your conditions in the Success conditions and/or Failure conditions sections.

    a. In Response Code, select matches or does not match, and enter the code you want to track, like 401.
    You can enter multiple codes.

    b. In Response Header, enter the header name, select matches or does not match, and enter the value you want to track.
    To add another response header, click Add.

    c. In Set-cookie, enter the cookie name and select matches or does not match.
    You can use * and ? wildcards and you can turn the Case-sensitive switch on.

    If you define:
    – only failure conditions, then any other activity on the endpoints is treated as success.
    – only success, then any other activity is a failure.
    – both failure and success, then any other activity is labeled as unknown.
    – no conditions, then all activity on the endpoints is labeled as unknown.
    – multiple values of the same condition (for example, response code = 200, 201), then the success or failure condition is met if any of these values apply.
    – multiple conditions (response code = 200, response header = X-LoginSuccess:true), then the success or failure condition is met only if all of these conditions apply.

    After you set the conditions, the successes, failures and unknown activity appear in the Bot Endpoint Protection report.

  13. Optional: If requests to protect by Bot Manager Premier always include parameters, then in the Additional required parameters section, do the following for every parameter that you want to set up:
    Usually, you won't add parameters here. Do so if you want to protect ONLY specific requests that include the parameter. Requests without it, won't undergo Bot Manager Premier detection.

    a. Click Add parameter

    b. From the leftmost drop-down menu, select the parameter that you want to configure.

    c. From the rightmost drop-down menu, select the condition that the parameter should meet.

    d. If you selected the matches condition, enter the text that the parameter should match.


    Again, don't enter a parameter here unless you want to protect ONLY those specific requests. If your app accepts requests without the parameters you define, those requests would likely bypass bot protections. Proceed carefully. The need to set parameters here is rare (for example, in the case of GraphQL applications).

  14. Click Save.