Amazon WAF client application integration - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon WAF client application integration

Use Amazon WAF client application integration APIs to couple client-side protections with your Amazon server-side web ACL protections, to help verify that the client applications that send web requests to your protected resources are the intended clients and that your end users are human beings.

Use the client integrations to manage silent browser challenges and CAPTCHA puzzles, obtain tokens with proof of successful browser and end user responses, and to include these tokens in requests to your protected endpoints. For general information about Amazon WAF tokens, see Amazon WAF web request tokens.

Combine your client integrations with web ACL protections that require valid tokens for access to your resources. You can use rule groups that check and monitor challenge tokens, like the ones listed in the next section, at Intelligent threat integration and Amazon Managed Rules, and you can use the CAPTCHA and Challenge rule actions to check, as described in CAPTCHA and Challenge in Amazon WAF.

Amazon WAF provides two levels of integration for JavaScript applications, and one for mobile applications:

  • Intelligent threat integration – Verify the client application and provide Amazon token acquisition and management. This is similar to the functionality provided by the Amazon WAF Challenge rule action. This functionality fully integrates your client application with the AWSManagedRulesACFPRuleSet managed rule group, the AWSManagedRulesATPRuleSet managed rule group, and the targeted protection level of the AWSManagedRulesBotControlRuleSet managed rule group.

    The intelligent threat integration APIs use the Amazon WAF silent browser challenge to help ensure that login attempts and other calls to your protected resource are only allowed after the client has acquired a valid token. The APIs manage token authorization for your client application sessions and gather information about the client to help determine whether it's being operated by a bot or by a human being.


    This is available for JavaScript and for Android and iOS mobile applications.

  • CAPTCHA integration – Verify end users with customized CAPTCHA puzzle that you manage in your application. This is similar to the functionality provided by the Amazon WAF CAPTCHA rule action, but with added control over the puzzle placement and behavior.

    This integration leverages the JavaScript intelligent threat integration to run silent challenges and provide Amazon WAF tokens to the customer's page.


    This is available for JavaScript applications.