Skip to content
Cloudflare API
Start here
API Reference
Bot Management

Update Zone Bot Management Config

PUT/zones/{zone_id}/bot_management

Updates the Bot Management configuration for a zone.

This API is used to update:

  • Bot Fight Mode
  • Super Bot Fight Mode
  • Bot Management for Enterprise

See Bot Plans for more information on the different plans
If you recently upgraded or downgraded your plan, refer to the following examples to clean up old configurations. Copy and paste the example body to remove old zone configurations based on your current plan.

Clean up configuration for Bot Fight Mode plan

{
  "sbfm_likely_automated": "allow", 
  "sbfm_definitely_automated": "allow", 
  "sbfm_verified_bots": "allow", 
  "sbfm_static_resource_protection": false, 
  "optimize_wordpress": false, 
  "suppress_session_score": false
}

Clean up configuration for SBFM Pro plan

{
  "sbfm_likely_automated": "allow", 
  "fight_mode": false 
}

Clean up configuration for SBFM Biz plan

{
  "fight_mode": false
}

Clean up configuration for BM Enterprise Subscription plan

It is strongly recommended that you ensure you have custom rules in place to protect your zone before disabling the SBFM rules. Without these protections, your zone is vulnerable to attacks.

{
  "sbfm_likely_automated": "allow", 
  "sbfm_definitely_automated": "allow", 
  "sbfm_verified_bots": "allow", 
  "sbfm_static_resource_protection": false, 
  "optimize_wordpress": false, 
  "fight_mode": false
}
Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Bot Management Write
Path ParametersExpand Collapse
zone_id: string

Identifier.

maxLength32
Body ParametersJSONExpand Collapse
body: BotFightModeConfiguration { ai_bots_protection, cf_robots_variant, crawler_protection, 5 more } or SuperBotFightModeDefinitelyConfiguration { ai_bots_protection, cf_robots_variant, crawler_protection, 8 more } or SuperBotFightModeLikelyConfiguration { ai_bots_protection, cf_robots_variant, crawler_protection, 9 more } or SubscriptionConfiguration { ai_bots_protection, auto_update_model, bm_cookie_enabled, 7 more }
One of the following:
BotFightModeConfiguration = object { ai_bots_protection, cf_robots_variant, crawler_protection, 5 more }
ai_bots_protection: optional "block" or "disabled" or "only_on_ad_pages"

Enable rule to block AI Scrapers and Crawlers. Please note the value only_on_ad_pages is currently not available for Enterprise customers.

One of the following:
"block"
"disabled"
"only_on_ad_pages"
cf_robots_variant: optional "off" or "policy_only"

Specifies the Robots Access Control License variant to use.

One of the following:
"off"
"policy_only"
crawler_protection: optional "enabled" or "disabled"

Enable rule to punish AI Scrapers and Crawlers via a link maze.

One of the following:
"enabled"
"disabled"
enable_js: optional boolean

Use lightweight, invisible JavaScript detections to improve Bot Management. Learn more about JavaScript Detections.

fight_mode: optional boolean

Whether to enable Bot Fight Mode.

is_robots_txt_managed: optional boolean

Enable cloudflare managed robots.txt. If an existing robots.txt is detected, then managed robots.txt will be prepended to the existing robots.txt.

stale_zone_configuration: optional object { optimize_wordpress, sbfm_definitely_automated, sbfm_likely_automated, 3 more }

A read-only field that shows which unauthorized settings are currently active on the zone. These settings typically result from upgrades or downgrades.

optimize_wordpress: optional boolean

Indicates that the zone's wordpress optimization for SBFM is turned on.

sbfm_definitely_automated: optional string

Indicates that the zone's definitely automated requests are being blocked or challenged.

sbfm_likely_automated: optional string

Indicates that the zone's likely automated requests are being blocked or challenged.

sbfm_static_resource_protection: optional string

Indicates that the zone's static resource protection is turned on.

sbfm_verified_bots: optional string

Indicates that the zone's verified bot requests are being blocked.

suppress_session_score: optional boolean

Indicates that the zone's session score tracking is disabled.

using_latest_model: optional boolean

A read-only field that indicates whether the zone currently is running the latest ML model.

SuperBotFightModeDefinitelyConfiguration = object { ai_bots_protection, cf_robots_variant, crawler_protection, 8 more }
ai_bots_protection: optional "block" or "disabled" or "only_on_ad_pages"

Enable rule to block AI Scrapers and Crawlers. Please note the value only_on_ad_pages is currently not available for Enterprise customers.

One of the following:
"block"
"disabled"
"only_on_ad_pages"
cf_robots_variant: optional "off" or "policy_only"

Specifies the Robots Access Control License variant to use.

One of the following:
"off"
"policy_only"
crawler_protection: optional "enabled" or "disabled"

Enable rule to punish AI Scrapers and Crawlers via a link maze.

One of the following:
"enabled"
"disabled"
enable_js: optional boolean

Use lightweight, invisible JavaScript detections to improve Bot Management. Learn more about JavaScript Detections.

is_robots_txt_managed: optional boolean

Enable cloudflare managed robots.txt. If an existing robots.txt is detected, then managed robots.txt will be prepended to the existing robots.txt.

optimize_wordpress: optional boolean

Whether to optimize Super Bot Fight Mode protections for Wordpress.

sbfm_definitely_automated: optional "allow" or "block" or "managed_challenge"

Super Bot Fight Mode (SBFM) action to take on definitely automated requests.

One of the following:
"allow"
"block"
"managed_challenge"
sbfm_static_resource_protection: optional boolean

Super Bot Fight Mode (SBFM) to enable static resource protection. Enable if static resources on your application need bot protection. Note: Static resource protection can also result in legitimate traffic being blocked.

sbfm_verified_bots: optional "allow" or "block"

Super Bot Fight Mode (SBFM) action to take on verified bots requests.

One of the following:
"allow"
"block"
stale_zone_configuration: optional object { fight_mode, sbfm_likely_automated }

A read-only field that shows which unauthorized settings are currently active on the zone. These settings typically result from upgrades or downgrades.

fight_mode: optional boolean

Indicates that the zone's Bot Fight Mode is turned on.

sbfm_likely_automated: optional string

Indicates that the zone's likely automated requests are being blocked or challenged.

using_latest_model: optional boolean

A read-only field that indicates whether the zone currently is running the latest ML model.

SuperBotFightModeLikelyConfiguration = object { ai_bots_protection, cf_robots_variant, crawler_protection, 9 more }
ai_bots_protection: optional "block" or "disabled" or "only_on_ad_pages"

Enable rule to block AI Scrapers and Crawlers. Please note the value only_on_ad_pages is currently not available for Enterprise customers.

One of the following:
"block"
"disabled"
"only_on_ad_pages"
cf_robots_variant: optional "off" or "policy_only"

Specifies the Robots Access Control License variant to use.

One of the following:
"off"
"policy_only"
crawler_protection: optional "enabled" or "disabled"

Enable rule to punish AI Scrapers and Crawlers via a link maze.

One of the following:
"enabled"
"disabled"
enable_js: optional boolean

Use lightweight, invisible JavaScript detections to improve Bot Management. Learn more about JavaScript Detections.

is_robots_txt_managed: optional boolean

Enable cloudflare managed robots.txt. If an existing robots.txt is detected, then managed robots.txt will be prepended to the existing robots.txt.

optimize_wordpress: optional boolean

Whether to optimize Super Bot Fight Mode protections for Wordpress.

sbfm_definitely_automated: optional "allow" or "block" or "managed_challenge"

Super Bot Fight Mode (SBFM) action to take on definitely automated requests.

One of the following:
"allow"
"block"
"managed_challenge"
sbfm_likely_automated: optional "allow" or "block" or "managed_challenge"

Super Bot Fight Mode (SBFM) action to take on likely automated requests.

One of the following:
"allow"
"block"
"managed_challenge"
sbfm_static_resource_protection: optional boolean

Super Bot Fight Mode (SBFM) to enable static resource protection. Enable if static resources on your application need bot protection. Note: Static resource protection can also result in legitimate traffic being blocked.

sbfm_verified_bots: optional "allow" or "block"

Super Bot Fight Mode (SBFM) action to take on verified bots requests.

One of the following:
"allow"
"block"
stale_zone_configuration: optional object { fight_mode }

A read-only field that shows which unauthorized settings are currently active on the zone. These settings typically result from upgrades or downgrades.

fight_mode: optional boolean

Indicates that the zone's Bot Fight Mode is turned on.

using_latest_model: optional boolean

A read-only field that indicates whether the zone currently is running the latest ML model.

SubscriptionConfiguration = object { ai_bots_protection, auto_update_model, bm_cookie_enabled, 7 more }
ai_bots_protection: optional "block" or "disabled" or "only_on_ad_pages"

Enable rule to block AI Scrapers and Crawlers. Please note the value only_on_ad_pages is currently not available for Enterprise customers.

One of the following:
"block"
"disabled"
"only_on_ad_pages"
auto_update_model: optional boolean

Automatically update to the newest bot detection models created by Cloudflare as they are released. Learn more.

cf_robots_variant: optional "off" or "policy_only"

Specifies the Robots Access Control License variant to use.

One of the following:
"off"
"policy_only"
crawler_protection: optional "enabled" or "disabled"

Enable rule to punish AI Scrapers and Crawlers via a link maze.

One of the following:
"enabled"
"disabled"
enable_js: optional boolean

Use lightweight, invisible JavaScript detections to improve Bot Management. Learn more about JavaScript Detections.

is_robots_txt_managed: optional boolean

Enable cloudflare managed robots.txt. If an existing robots.txt is detected, then managed robots.txt will be prepended to the existing robots.txt.

stale_zone_configuration: optional object { fight_mode, optimize_wordpress, sbfm_definitely_automated, 3 more }

A read-only field that shows which unauthorized settings are currently active on the zone. These settings typically result from upgrades or downgrades.

fight_mode: optional boolean

Indicates that the zone's Bot Fight Mode is turned on.

optimize_wordpress: optional boolean

Indicates that the zone's wordpress optimization for SBFM is turned on.

sbfm_definitely_automated: optional string

Indicates that the zone's definitely automated requests are being blocked or challenged.

sbfm_likely_automated: optional string

Indicates that the zone's likely automated requests are being blocked or challenged.

sbfm_static_resource_protection: optional string

Indicates that the zone's static resource protection is turned on.

sbfm_verified_bots: optional string

Indicates that the zone's verified bot requests are being blocked.

suppress_session_score: optional boolean

Whether to disable tracking the highest bot score for a session in the Bot Management cookie.

using_latest_model: optional boolean

A read-only field that indicates whether the zone currently is running the latest ML model.

ReturnsExpand Collapse
errors: array of object { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional object { pointer }
pointer: optional string
messages: array of object { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional object { pointer }
pointer: optional string
success: true

Whether the API call was successful.

result: optional BotFightModeConfiguration { ai_bots_protection, cf_robots_variant, crawler_protection, 5 more } or SuperBotFightModeDefinitelyConfiguration { ai_bots_protection, cf_robots_variant, crawler_protection, 8 more } or SuperBotFightModeLikelyConfiguration { ai_bots_protection, cf_robots_variant, crawler_protection, 9 more } or SubscriptionConfiguration { ai_bots_protection, auto_update_model, bm_cookie_enabled, 7 more }
One of the following:
BotFightModeConfiguration = object { ai_bots_protection, cf_robots_variant, crawler_protection, 5 more }
ai_bots_protection: optional "block" or "disabled" or "only_on_ad_pages"

Enable rule to block AI Scrapers and Crawlers. Please note the value only_on_ad_pages is currently not available for Enterprise customers.

One of the following:
"block"
"disabled"
"only_on_ad_pages"
cf_robots_variant: optional "off" or "policy_only"

Specifies the Robots Access Control License variant to use.

One of the following:
"off"
"policy_only"
crawler_protection: optional "enabled" or "disabled"

Enable rule to punish AI Scrapers and Crawlers via a link maze.

One of the following:
"enabled"
"disabled"
enable_js: optional boolean

Use lightweight, invisible JavaScript detections to improve Bot Management. Learn more about JavaScript Detections.

fight_mode: optional boolean

Whether to enable Bot Fight Mode.

is_robots_txt_managed: optional boolean

Enable cloudflare managed robots.txt. If an existing robots.txt is detected, then managed robots.txt will be prepended to the existing robots.txt.

stale_zone_configuration: optional object { optimize_wordpress, sbfm_definitely_automated, sbfm_likely_automated, 3 more }

A read-only field that shows which unauthorized settings are currently active on the zone. These settings typically result from upgrades or downgrades.

optimize_wordpress: optional boolean

Indicates that the zone's wordpress optimization for SBFM is turned on.

sbfm_definitely_automated: optional string

Indicates that the zone's definitely automated requests are being blocked or challenged.

sbfm_likely_automated: optional string

Indicates that the zone's likely automated requests are being blocked or challenged.

sbfm_static_resource_protection: optional string

Indicates that the zone's static resource protection is turned on.

sbfm_verified_bots: optional string

Indicates that the zone's verified bot requests are being blocked.

suppress_session_score: optional boolean

Indicates that the zone's session score tracking is disabled.

using_latest_model: optional boolean

A read-only field that indicates whether the zone currently is running the latest ML model.

SuperBotFightModeDefinitelyConfiguration = object { ai_bots_protection, cf_robots_variant, crawler_protection, 8 more }
ai_bots_protection: optional "block" or "disabled" or "only_on_ad_pages"

Enable rule to block AI Scrapers and Crawlers. Please note the value only_on_ad_pages is currently not available for Enterprise customers.

One of the following:
"block"
"disabled"
"only_on_ad_pages"
cf_robots_variant: optional "off" or "policy_only"

Specifies the Robots Access Control License variant to use.

One of the following:
"off"
"policy_only"
crawler_protection: optional "enabled" or "disabled"

Enable rule to punish AI Scrapers and Crawlers via a link maze.

One of the following:
"enabled"
"disabled"
enable_js: optional boolean

Use lightweight, invisible JavaScript detections to improve Bot Management. Learn more about JavaScript Detections.

is_robots_txt_managed: optional boolean

Enable cloudflare managed robots.txt. If an existing robots.txt is detected, then managed robots.txt will be prepended to the existing robots.txt.

optimize_wordpress: optional boolean

Whether to optimize Super Bot Fight Mode protections for Wordpress.

sbfm_definitely_automated: optional "allow" or "block" or "managed_challenge"

Super Bot Fight Mode (SBFM) action to take on definitely automated requests.

One of the following:
"allow"
"block"
"managed_challenge"
sbfm_static_resource_protection: optional boolean

Super Bot Fight Mode (SBFM) to enable static resource protection. Enable if static resources on your application need bot protection. Note: Static resource protection can also result in legitimate traffic being blocked.

sbfm_verified_bots: optional "allow" or "block"

Super Bot Fight Mode (SBFM) action to take on verified bots requests.

One of the following:
"allow"
"block"
stale_zone_configuration: optional object { fight_mode, sbfm_likely_automated }

A read-only field that shows which unauthorized settings are currently active on the zone. These settings typically result from upgrades or downgrades.

fight_mode: optional boolean

Indicates that the zone's Bot Fight Mode is turned on.

sbfm_likely_automated: optional string

Indicates that the zone's likely automated requests are being blocked or challenged.

using_latest_model: optional boolean

A read-only field that indicates whether the zone currently is running the latest ML model.

SuperBotFightModeLikelyConfiguration = object { ai_bots_protection, cf_robots_variant, crawler_protection, 9 more }
ai_bots_protection: optional "block" or "disabled" or "only_on_ad_pages"

Enable rule to block AI Scrapers and Crawlers. Please note the value only_on_ad_pages is currently not available for Enterprise customers.

One of the following:
"block"
"disabled"
"only_on_ad_pages"
cf_robots_variant: optional "off" or "policy_only"

Specifies the Robots Access Control License variant to use.

One of the following:
"off"
"policy_only"
crawler_protection: optional "enabled" or "disabled"

Enable rule to punish AI Scrapers and Crawlers via a link maze.

One of the following:
"enabled"
"disabled"
enable_js: optional boolean

Use lightweight, invisible JavaScript detections to improve Bot Management. Learn more about JavaScript Detections.

is_robots_txt_managed: optional boolean

Enable cloudflare managed robots.txt. If an existing robots.txt is detected, then managed robots.txt will be prepended to the existing robots.txt.

optimize_wordpress: optional boolean

Whether to optimize Super Bot Fight Mode protections for Wordpress.

sbfm_definitely_automated: optional "allow" or "block" or "managed_challenge"

Super Bot Fight Mode (SBFM) action to take on definitely automated requests.

One of the following:
"allow"
"block"
"managed_challenge"
sbfm_likely_automated: optional "allow" or "block" or "managed_challenge"

Super Bot Fight Mode (SBFM) action to take on likely automated requests.

One of the following:
"allow"
"block"
"managed_challenge"
sbfm_static_resource_protection: optional boolean

Super Bot Fight Mode (SBFM) to enable static resource protection. Enable if static resources on your application need bot protection. Note: Static resource protection can also result in legitimate traffic being blocked.

sbfm_verified_bots: optional "allow" or "block"

Super Bot Fight Mode (SBFM) action to take on verified bots requests.

One of the following:
"allow"
"block"
stale_zone_configuration: optional object { fight_mode }

A read-only field that shows which unauthorized settings are currently active on the zone. These settings typically result from upgrades or downgrades.

fight_mode: optional boolean

Indicates that the zone's Bot Fight Mode is turned on.

using_latest_model: optional boolean

A read-only field that indicates whether the zone currently is running the latest ML model.

SubscriptionConfiguration = object { ai_bots_protection, auto_update_model, bm_cookie_enabled, 7 more }
ai_bots_protection: optional "block" or "disabled" or "only_on_ad_pages"

Enable rule to block AI Scrapers and Crawlers. Please note the value only_on_ad_pages is currently not available for Enterprise customers.

One of the following:
"block"
"disabled"
"only_on_ad_pages"
auto_update_model: optional boolean

Automatically update to the newest bot detection models created by Cloudflare as they are released. Learn more.

cf_robots_variant: optional "off" or "policy_only"

Specifies the Robots Access Control License variant to use.

One of the following:
"off"
"policy_only"
crawler_protection: optional "enabled" or "disabled"

Enable rule to punish AI Scrapers and Crawlers via a link maze.

One of the following:
"enabled"
"disabled"
enable_js: optional boolean

Use lightweight, invisible JavaScript detections to improve Bot Management. Learn more about JavaScript Detections.

is_robots_txt_managed: optional boolean

Enable cloudflare managed robots.txt. If an existing robots.txt is detected, then managed robots.txt will be prepended to the existing robots.txt.

stale_zone_configuration: optional object { fight_mode, optimize_wordpress, sbfm_definitely_automated, 3 more }

A read-only field that shows which unauthorized settings are currently active on the zone. These settings typically result from upgrades or downgrades.

fight_mode: optional boolean

Indicates that the zone's Bot Fight Mode is turned on.

optimize_wordpress: optional boolean

Indicates that the zone's wordpress optimization for SBFM is turned on.

sbfm_definitely_automated: optional string

Indicates that the zone's definitely automated requests are being blocked or challenged.

sbfm_likely_automated: optional string

Indicates that the zone's likely automated requests are being blocked or challenged.

sbfm_static_resource_protection: optional string

Indicates that the zone's static resource protection is turned on.

sbfm_verified_bots: optional string

Indicates that the zone's verified bot requests are being blocked.

suppress_session_score: optional boolean

Whether to disable tracking the highest bot score for a session in the Bot Management cookie.

using_latest_model: optional boolean

A read-only field that indicates whether the zone currently is running the latest ML model.

Update Zone Bot Management Config

curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/bot_management \
    -X PUT \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    -d '{
          "ai_bots_protection": "block",
          "cf_robots_variant": "policy_only",
          "crawler_protection": "enabled",
          "enable_js": true,
          "fight_mode": true
        }'
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "ai_bots_protection": "block",
    "cf_robots_variant": "policy_only",
    "crawler_protection": "enabled",
    "enable_js": true,
    "fight_mode": true,
    "is_robots_txt_managed": false,
    "stale_zone_configuration": {
      "optimize_wordpress": true,
      "sbfm_definitely_automated": "sbfm_definitely_automated",
      "sbfm_likely_automated": "sbfm_likely_automated",
      "sbfm_static_resource_protection": "sbfm_static_resource_protection",
      "sbfm_verified_bots": "sbfm_verified_bots",
      "suppress_session_score": true
    },
    "using_latest_model": true
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "ai_bots_protection": "block",
    "cf_robots_variant": "policy_only",
    "crawler_protection": "enabled",
    "enable_js": true,
    "fight_mode": true,
    "is_robots_txt_managed": false,
    "stale_zone_configuration": {
      "optimize_wordpress": true,
      "sbfm_definitely_automated": "sbfm_definitely_automated",
      "sbfm_likely_automated": "sbfm_likely_automated",
      "sbfm_static_resource_protection": "sbfm_static_resource_protection",
      "sbfm_verified_bots": "sbfm_verified_bots",
      "suppress_session_score": true
    },
    "using_latest_model": true
  }
}