Endpoints of the MobileFirst Server production server
You can create whitelists and blacklists for the endpoints of the IBM MobileFirst™ Platform Server.
Note: Information regarding URLs that are exposed by IBM MobileFirst Platform Foundation is
provided as a guideline. Organizations must ensure the URLs are tested
in an enterprise infrastructure, based on what has been enabled for
white and black lists.
| API URL, under <application root context>/ | Description | Suggested for whitelist? | For more information |
|---|---|---|---|
| apps/services/api/* | Used by client applications for operations such as init, Direct Update requests, invocation of adapter procedures, and more. | Yes | HTTP Interface of the production server |
| apps/services/random/* | Used for generating a random number. Used by JSON store implementation and encrypted cache on the client side. | Yes, if you plan to use offline storage such as JSON store. | JSONStore overview |
| apps/services/reach | Used for the reach API, this servlet returns status 200 with OK, letting you verify that the MobileFirst Server is up and running. | Yes | |
| apps/services/www/* | Used by mobile web or desktop application to access its resources. | Yes | Web application resource requests |
| apps/services/download/* | Deprecated | No | |
| apps/services/preview/* | Used to preview the application. | No. Used for development and administration purposes. | Preview application resource requests |
| API URL, under <application root context>/ | Description | Suggested for whitelist? | For more information |
|---|---|---|---|
| directUpdate/* | Used for serving the direct update .zip file. | Yes, if you plan to use Direct Update. | Direct Update as a security realm |
| API URL, under <application root context>/ | Description | Suggested for whitelist? | For more information |
|---|---|---|---|
| node/integration/* | Used to receive notifications from IBM MobileFirst Platform Foundation adapters that are based on Node.js. Not in use and can be blocked. | No |
| API URL, under <application root context>/ | Description | Suggested for whitelist? | For more information |
|---|---|---|---|
| ws/rest/vitality | Used to check server availability. Returns a list of applications and adapters. For server administrators. | No | Vitality queries for checking server health |
| API URL, under <application root context>/ | Description | Suggested for whitelist? | For more information |
|---|---|---|---|
| invoke | Used to invoke an adapter procedure. | Yes, if application uses adapter authentication
features, or if you want to access the adapter directly and not from
the application. Note: If this API passes the firewall, everyone is
able to invoke any adapter procedure and it is protected only by the
adapter security test and not by the application security test.
|
Accessing adapters from the /invoke endpoint |
| subscribeSMS | Push subscription service API. Used by applications. | Yes, if application uses push subscription API. | Web-based SMS subscription |
| receiveSMS | SMS subscription service API. Used by applications. | Yes, if application uses SMS subscription API. | Using two-way SMS communication |
| API URL, under <application root context>/ | Description | Suggested for whitelist? | For more information |
|---|---|---|---|
| apps/services/loguploader/* | Used by client applications to upload their accumulated debug and analytics logs. | Yes | Client-side log capture |
| apps/services/configprofile/* | Used by client applications to GET their log configuration, which the admin set via the Log Configuration tab in the IBM MobileFirst Platform Operations Console. | Yes | Client-side log capture |
| API URL, under <application root context>/ | Description | Suggested for whitelist? | For more information |
|---|---|---|---|
| dev/* | Development service API such as /invoke, /appdata, /preview, and others. Used in development environments only. | No, only for the development environment and not for QA, preproduction, or production. |
| API URL, under <application root context>/ | Description | Suggested for whitelist? | For more information |
|---|---|---|---|
| ussd/* | Used for communication with the USSD gateway. | Yes | USSD Support |
| API URL, under <application root context>/ | Description | Suggested for whitelist? | For more information |
|---|---|---|---|
| authorization/v1/clients/instance | Used by clients applications to register with the OAuth Server | No | OAuth-based security model Challenge handling in a gateway topology |
| authorization/v1/authorization | Used by client applications to perform authorization | Yes, if you are using OAuth | OAuth-based security model |
| authorization/v1/token | Used by client applications to obtain access tokens | Yes, if you are using OAuth | OAuth-based security model |
| authorization/v1/publickey | Used by external resource filters to obtain the public key of the MobileFirst Server | Yes, if you are using OAuth | OAuth-based security model |
| authorization/v1/token/validation | Used for performing online token validation | Yes, if you are using OAuth | OAuth-based security model |
| authorization/v1/clients/preview | Used for registering applications in preview mode | No, only for development | OAuth-based security model |
| authorization/v1/testtoken | Used for obtaining access tokens during development | No, only for development | OAuth-based security model |