---
title: Fastly API reference
summary: null
url: https://www.fastly.com/documentation/reference/api
---

The Fastly API is a RESTful API that provides access to all the features available through the Fastly web interface. The API is organized into collections of endpoints that allow manipulation of objects related to Fastly services and accounts.

> **IMPORTANT:** The API requires TLS 1.2. Because of the [PCI Security Standards Council mandate](https://listings.pcisecuritystandards.org/pdfs/Migrating_from_SSL_and_Early_TLS_-v12.pdf), TLS versions 1.0 and 1.1 are no longer supported.

## Domain

Almost all API endpoints are served on the `api.fastly.com` domain. For example, to get a list of Fastly services available to your account, you could use a `curl` command such as:

```term
$ curl -H "Fastly-Key: YOUR_FASTLY_TOKEN" "https://api.fastly.com/service"
```

[Purge requests](https://www.fastly.com/documentation/reference/api/purging) are a special case and can be sent to the URL that you want to purge.

The [real time stats](https://www.fastly.com/documentation/reference/api/metrics-stats/realtime) API uses the domain `rt.fastly.com`.

## Authentication

Most (but not all) API endpoints require authentication with an appropriately scoped **API token**, which may be created [via the API](https://www.fastly.com/documentation/reference/api/auth-tokens) or in the [Fastly web interface](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/using-api-tokens). Requirements for individual endpoints are shown on each endpoint page. To authenticate a request, generate an API token, and then include it in your request as a `Fastly-Key` HTTP header:

```http
Fastly-Key: YOUR_FASTLY_TOKEN
```

If you are using [curl](https://curl.haxx.se/) to make requests, you can append a header with `-H 'Fastly-Key: YOUR_FASTLY_TOKEN'`.

> **NOTE (Accounts created prior to May 15, 2017):** If you created a Fastly account before May 15th, 2017, you may have used legacy "API keys" to authenticate API requests. This account-level credential was migrated to a personal API token with a `global` scope and access to all of your services. Because all tokens need to be owned by a user, this credential was assigned to a newly created, synthetic user with the name `Global API Token`. All endpoints that support the legacy keys also support API tokens.

## API Endpoints

The API endpoints are divided into collections. You can view an index of [all endpoints on a single page](https://www.fastly.com/documentation/reference/api/index) or select a collection from the list below to explore that collection in detail:

- [Access control lists](https://www.fastly.com/documentation/reference/api/acls/)
- [Account](https://www.fastly.com/documentation/reference/api/account/)
- [API Security](https://www.fastly.com/documentation/reference/api/api-security/)
- [Authentication tokens](https://www.fastly.com/documentation/reference/api/auth-tokens/)
- [Client-Side Protection](https://www.fastly.com/documentation/reference/api/client-side-protection/) - Client-Side Protection (CSP) provides visibility and control over third-party scripts running on your web pages. Monitor script behavior, manage authorization status, and configure security policies to protect against client-side attacks like Magecart and formjacking.
- [Dictionaries](https://www.fastly.com/documentation/reference/api/dictionaries/)
- [Domain Management](https://www.fastly.com/documentation/reference/api/domain-management/)
- [Fastly DDoS Protection Events](https://www.fastly.com/documentation/reference/api/ddos-protection/) - The Fastly DDoS Protection Events API allows you to configure Fastly DDoS Protection and view attack insights including events, rules, and traffic statistics.
- [Load balancing](https://www.fastly.com/documentation/reference/api/load-balancing/)
- [Metrics and stats](https://www.fastly.com/documentation/reference/api/metrics-stats/)
- [Next-Gen WAF](https://www.fastly.com/documentation/reference/api/ngwaf/)
- [Observability](https://www.fastly.com/documentation/reference/api/observability/)
- [Products](https://www.fastly.com/documentation/reference/api/products/)
- [Publishing](https://www.fastly.com/documentation/reference/api/publishing/) - Publishing sends messages to <a href="https://www.fastly.com/documentation/learning/concepts/real-time-messaging/fanout">Fanout</a> subscribers. Fanout is designed to be <a href="https://pushpin.org/docs/protocols/grip/">GRIP-compatible</a>, such that <code>https://api.fastly.com/service/{service_id}</code> can be used as a GRIP URL in application configurations.
- [Purging](https://www.fastly.com/documentation/reference/api/purging/) - Instant Purging removes content from Fastly immediately so it can be refreshed from your origin servers. While the default approach for issuing an individual URL Instant Purge uses the Fastly API, <code>https://api.fastly.com/</code>, it is not required.
- [Real-time logging](https://www.fastly.com/documentation/reference/api/logging/)
- [Services](https://www.fastly.com/documentation/reference/api/services/)
- [TLS](https://www.fastly.com/documentation/reference/api/tls/)
- [Utilities](https://www.fastly.com/documentation/reference/api/utils/)
- [VCL objects](https://www.fastly.com/documentation/reference/api/vcl-services/)

## Postman collection

If you use [Postman](https://www.postman.com/downloads/), you can [explore the Fastly API workspace](https://www.postman.com/fastly/workspace/fastly-developer-hub/collection/10146383-3ae89321-fd45-4694-880c-3081da4ef678?ctx=documentation) or [download our Postman collection](https://www.fastly.com/documentation/downloads/fastly.collection.json).

## Clients

Client libraries are available in a number of languages. The following clients are built and maintained by Fastly:

- [Go](https://github.com/fastly/fastly-go) (available [from pkg.go.dev](https://pkg.go.dev/github.com/fastly/fastly-go))
- [JavaScript](https://github.com/fastly/fastly-js) (available [from npm](https://www.npmjs.com/package/fastly))
- [PHP](https://github.com/fastly/fastly-php) (available [from Packagist](https://packagist.org/packages/fastly/fastly))
- [Perl](https://github.com/fastly/fastly-perl) (available [from CPAN](https://metacpan.org/release/Net-Fastly))
- [Python](https://github.com/fastly/fastly-py) (available [from PyPi](https://pypi.org/project/fastly/#history))
- [Ruby](https://github.com/fastly/fastly-ruby) (available [from RubyGems](https://rubygems.org/gems/fastly))
- [Rust](https://github.com/fastly/fastly-rust) (available [from crates.io](https://crates.io/crates/fastly-api))

We also offer a [Terraform provider](https://registry.terraform.io/providers/fastly/fastly/latest/docs). If you use Terraform to orchestrate Fastly services, see our [guidance on best practices](https://www.fastly.com/documentation/guides/integrations/non-fastly-services/developer-guide-terraform).

## Rate limiting

API write operations are subject to a default limit of 1,000 requests per hour. This applies to each user account or [automation token](https://www.fastly.com/documentation/reference/api/auth-tokens/automation/). For user tokens, the limit applies to the user, regardless of the number of tokens attached to that user.

The following types of requests are not covered by the general rate limit policy:

- All read operations, such as `GET` and `HEAD` requests: 6,000 requests per minute.
- Single-URL and surrogate key purges: limited to an average of 100,000 purges per customer per hour.
- Anonymous (unauthenticated) requests: 6,000 requests per minute.

Fastly reserves the right to lower these limits to ensure system stability.

> **IMPORTANT:** Overlapping write requests to the API may result in lost updates. We strongly recommend avoiding concurrent requests that modify configuration within the same service.

If you go over the rate limit, you will receive a `429 Too Many Requests` HTTP response.

Rate limit information is provided in response headers, as shown below. The `Fastly-RateLimit-Remaining` header provides the number of API requests remaining in the current rate limit window. The `Fastly-RateLimit-Reset` provides the time at which the current rate limit window resets, as a [Unix timestamp](https://en.wikipedia.org/wiki/Unix_time).

```http type="response"
Fastly-RateLimit-Remaining: 999
Fastly-RateLimit-Reset: 1452032384
```

If you have purchased a Fastly service package that includes specific rate limits for API operations, those will apply instead of the limits shown on this page.