Hub Listing - Gateway Tab

Configure Rapid Runtime behavior for an API.

This document provides an overview of the Rapid Runtime, then provides details of the Hub Listing > Gateway tab in Studio. This tab is mostly used to configure the API's behavior when using the Rapid Runtime.

Note: For setting up an API's security strategy (such as OAuth), see Configuring API Security. This has moved to the Definitions tab in Studio.

Rapid Runtime overview

The Hub Listing > Gateway tab in Studio is mostly using to configure the behavior of the Rapid Runtime for an API. The Rapid Runtime is a fast, highly-available, distributed proxy service hosted by Rapid. If the Runtime is used for an API, API requests sent by API consumers are first sent to the Runtime, and the Runtime usually forwards the request to the API provider's API gateway (such as Amazon API Gateway). Responses from the API provider's API gateway are sent to the Runtime, and the response is sent to the API consumer.

Using the Rapid Runtime for an API is fast and easy, and includes the following:

  • Built-in security and threat protection mechanisms
  • Enforced request timeout, rate, size, and/or quota limits
  • Alerting if usage is abnormal
  • API monetization
  • API consumption, error rate, and latency tracking
  • Automatically populated usage, performance, billing, and other analytics
  • Endpoint response mocking
  • Request and response transformations
  • Detailed request/response logs (up to 7 days)
  • Automatic CORS handling when testing the API

Gateway DNS

For rapidapi.com users, all APIs are automatically configured to (and must) use the Rapid Runtime. The Gateway DNS section of the Hub Listing > Gateway tab is for information only. The Gateway DNS will automatically be set to rapidapi.com and can not be changed. This means that all API requests will be sent using the Rapid Runtime.

For Enterprise Hub customers, the Gateway DNS section of the Hub Listing > Gateway tab is used to specify if the Rapid Runtime is used for the API. Each API can be configured to use the Rapid Runtime (this is the fastest and easiest approach and is usually recommended), use only the API provider's gateway(s), or use a combination of both. See API Gateways for information on how environment admins configure non-Rapid Runtime API gateways. Once a gateway has been configured in the Enterprise Hub, it will appear in the dropdown in the Gateway DNS section of the Hub Listing > Gateway tab for all APIs, and API providers can choose a gateway or gateways from the dropdown (more info here). API consumers will then use the gateway(s) when testing the API or when obtaining sample code as described here.

Firewall settings

For security reasons, you should protect your API and block requests coming from outside the Rapid infrastructure.

Rapid adds the X-RapidAPI-Proxy-Secret header on every request. This header has a unique value for every API, and if the header is missing or has a different value, you can assume the request is not coming from our infrastructure. The header for this API is: X-RapidAPI-Proxy-Secret followed by a unique string.

2866

List of IP addresses used by Rapid

Every request coming from the Rapid Runtime will come from the following IP addresses. You can allow list these IPs, as they are the ones used to send requests only from Rapid.

A request coming from Rapid can be considered already authenticated, so no billing or authentication checks are required on the API side.

Here is the complete list of IPs to allow list:
Notice that you must accept API requests from ALL IPs below, regardless of which region your servers are located in.

RegionIPs
US East3.235.211.187
52.70.18.120
107.23.255.128
107.23.255.129
107.23.255.131
107.23.255.132
107.23.255.133
107.23.255.134
107.23.255.135
107.23.255.137
107.23.255.138
107.23.255.139
107.23.255.140
107.23.255.141
107.23.255.142
107.23.255.143
107.23.255.144
107.23.255.145
107.23.255.146
107.23.255.147
107.23.255.148
107.23.255.149
107.23.255.150
107.23.255.151
107.23.255.152
107.23.255.153
107.23.255.154
107.23.255.155
107.23.255.156
107.23.255.157
107.23.255.158
107.23.255.159
44.199.1.171
3.214.190.32
18.214.21.251
3.12.173.82
18.189.51.185
18.218.135.141
US West35.162.152.183
52.38.28.241
52.35.67.149
54.149.215.237
Mumbai13.127.146.34
13.127.207.241
13.232.235.243
13.233.81.143
Tokyo13.112.233.15
18.182.156.77
52.194.200.157
54.250.57.56
Frankfurt3.64.99.234
3.69.80.51
3.120.160.95
3.121.144.151
18.156.144.73
18.184.214.33
18.197.117.10
Sydney13.54.58.4
13.238.1.253
13.239.156.114
54.153.234.158
South America18.228.69.72
18.228.167.221
18.228.209.157
18.228.209.53
Singapore3.0.35.31
3.1.111.112
13.228.169.5
52.220.50.179
52.221.32.123
52.74.107.74
18.136.112.129
Ireland34.250.225.89
52.30.208.221
63.34.177.151
63.35.2.11
Canada3.96.250.82
3.97.68.46
52.60.203.46

Threat protection

You can enable or disable threat protection under the Security tab of your API's definition. Threat protection protects your API from SQL or JavaScript injection attacks. If enabled, we will automatically compare the paths, parameters, headers, and body (application/json, application/x-www-form-urlencoded, and non-binary data in multipart/form-data) of all requests against pre-defined RegEx patterns, and block matching requests from reaching your servers.

By default, threat protection is off. You can toggle it on or off by clicking the switch.

2832

If threat protection is enabled, the Content-Type header must be specified if the request has a body. If Content-Type is not specified, the request will be blocked. You can configure whether to block or pass the body through if the Content-Type is not set to application/json, application/x-www-form-urlencoded, and non-binary data in multipart/form-data.

1027

Request schema validation

You can enable or disable request schema validation under the Security tab of your API's definition. This stops requests that have a validation error at our Rapid Runtime so the call will not be sent to your API hosting server.

If enabled, we will automatically validate the path, query, and header parameters on run time and block all invalid requests. This requires a "Content-Type" header in requests with a body. By default, request schema validation is off. You can toggle it on or off by clicking the switch.

2832

Additional request schema validation settings

When Request Schema Validation is enabled, you will be able to choose from three settings:

2314

Pass through everything (default): Request passed through without stripping any parameters or headers.
Strip and passthrough: Strips unexpected parameters or headers and passes the request through.
Block: Blocks any request with unexpected parameters or headers.

🚧

Currently, even if the default HTTP headers or auto-generated headers for REST APIs are not explicitly defined in the specification the request will be blocked if you select "Strip and passthrough" or "Block"

Request Configurations

Request size limit

You can specify a maximum allowed request size (less than or equal to the default value 50 MB). If left empty or configured as 0, the default value is applied. The request size includes request line, header, and request body.

2130

When the size of a request exceeds this limit, the request is blocked at the Rapid Runtime and a 413 status code is returned in the response.

1136

Proxy Timeout Setting

TBD

Logging Configurations

Note: This section applies to Enterprise Hub customers only.
TBD

Secret headers and parameters

TBD

Transformations

TBD

Gateway timeout

You can specify a maximum allowed time for the Rapid Runtime to wait for a response from the target API (less than or equal to the default value 180 seconds). If left empty or configured as 0, the default value is applied.

1972

When the response from the target API takes longer than the specified timeout value, the Rapid Runtime terminates the call and a 504 status code is returned in the response.

1144