Go to Rules > Page Rules

Add a rule for your API endpoints:

URL pattern: yourdomain.com/api/*

Set "Security Level" to "Essentially Off"

Toggle "Browser Integrity Check" to Off

Add another rule for protected pages:

URL pattern: yourdomain.com/page/*

Set "Security Level" to "High" or "I'm Under Attack"

Enable "Browser Integrity Check"

Configure Firewall Rules (optional for more control):

Go to Security > WAF

Create a rule that bypasses security for API endpoints

Rule name: "Allow API Access"

Expression: (http.request.uri.path contains "/api/")

Action: "Bypass"

Set default protection level:

Go to Overview > Security

Set your default Security Level to Medium or High

Adjust Bot Fight Mode settings in Security > Bots if needed

This configuration will allow direct access to your API endpoints while forcing browser verification