Production server endpoints

Production server endpoints

We can enable white- and blacklists to the endpoints of the MobileFirst Server.
Information regarding URLs exposed by MPF is provided as a guideline for organizations to make informed decisions and ensure they are tested in an enterprise infrastructure, based on what has been enabled for white and black lists.

API URL Description Suggested whitelist For more information
MFP Applications
<application root context>/apps/services/api/* Used by client applications for operations such as init, Direct Update requests, invocation of adapter procedures, and more. Yes HTTP Interface of the production server
<application root context>/apps/services/random/* Used for generating a random number. Used by JSON store implementation and encrypted cache on the client side. Yes, to use offline storage such as JSON store. JSONStore overview
<application root context>/apps/services/reach Used for the reach API, this servlet returns status 200 with OK, letting you verify that the MobileFirst Server is up and running. Yes
<application root context>/apps/services/www/* Used by mobile web or desktop application to access its resources. Yes Web application resource requests
<application root context>/apps/services/download/* Deprecated No
<application root context>/apps/services/preview/* Used to preview the application. No. Used for development and administration purposes. Preview application resource requests
Direct Update
<application root context>/directUpdate/* Used for serving the direct update zip file. Yes, to use Direct Update. Direct Update as a security realm
Node Sync
<application root context>/node/integration/* Used to receive notifications from IBM MobileFirst Platform Foundation adapters that are based on Node.js. Not in use, and can be blocked. No
Vitality
<application root context>/ws/rest/vitality Used to check server availability. Returns a list of applications and adapters. For use of admin personnel. No Vitality queries for checking server health
Invoke back end procedure
<application root context>/invoke Used to invoke an adapter procedure. Yes, if application uses adapter authentication features, or to access the adapter directly and not from the application. Note that if this API passes the firewall, everyone will be able to invoke any adapter procedure and it will be protected only by the adapter security test and not by the application security test. Adapter invocation service
<application root context>/subscribeSMS Push subscription service API. Used by applications. Yes, if application uses push subscription API. Web-based SMS subscription
<application root context>/receiveSMS SMS subscription service API. Used by applications. Yes, if application uses SMS subscription API. Use two-way SMS communication
External Server Security
<application root context>/oauth/* Used to create an SSO between MPF and external services. Yes, if the application uses SSO between MPF and external services. Use SSO between MPF and external services
Client side logging
<application root context>/apps/services/loguploader/* Used by client applications to upload their accumulated debug and analytics logs. Yes Client-side log capture
<application root context>/apps/services/configprofile/* Used by client applications to GET their log configuration, which the admin set via the Log Configuration tab in the MPF operations console. Yes Client-side log capture
Dev
<application root context>/dev/* Development service API such as /invoke, /appdata, /preview, and others. Used in development environments only. No, only for the development environment and not for QA, pre-production, or production.
USSD
<application root context>/ussd/* Used for communication with the USSD (Unstructured Supplementary Service Data ) gateway. Yes USSD Support

HTTP Interface of the production server
Use the HTTP interface of the production server to make application API requests or web application resource requests. Use the following request structures, headers, and elements.

Parent topic: Install and configure

	API URL	Description	Suggested whitelist	For more information
MFP Applications
	<application root context>/apps/services/api/*	Used by client applications for operations such as init, Direct Update requests, invocation of adapter procedures, and more.	Yes	HTTP Interface of the production server
	<application root context>/apps/services/random/*	Used for generating a random number. Used by JSON store implementation and encrypted cache on the client side.	Yes, to use offline storage such as JSON store.	JSONStore overview
	<application root context>/apps/services/reach	Used for the reach API, this servlet returns status 200 with OK, letting you verify that the MobileFirst Server is up and running.	Yes
	<application root context>/apps/services/www/*	Used by mobile web or desktop application to access its resources.	Yes	Web application resource requests
	<application root context>/apps/services/download/*	Deprecated	No
	<application root context>/apps/services/preview/*	Used to preview the application.	No. Used for development and administration purposes.	Preview application resource requests
Direct Update
	<application root context>/directUpdate/*	Used for serving the direct update zip file.	Yes, to use Direct Update.	Direct Update as a security realm
Node Sync
	<application root context>/node/integration/*	Used to receive notifications from IBM MobileFirst Platform Foundation adapters that are based on Node.js. Not in use, and can be blocked.	No
Vitality
	<application root context>/ws/rest/vitality	Used to check server availability. Returns a list of applications and adapters. For use of admin personnel.	No	Vitality queries for checking server health
Invoke back end procedure
	<application root context>/invoke	Used to invoke an adapter procedure.	Yes, if application uses adapter authentication features, or to access the adapter directly and not from the application. Note that if this API passes the firewall, everyone will be able to invoke any adapter procedure and it will be protected only by the adapter security test and not by the application security test.	Adapter invocation service
	<application root context>/subscribeSMS	Push subscription service API. Used by applications.	Yes, if application uses push subscription API.	Web-based SMS subscription
	<application root context>/receiveSMS	SMS subscription service API. Used by applications.	Yes, if application uses SMS subscription API.	Use two-way SMS communication
External Server Security
	<application root context>/oauth/*	Used to create an SSO between MPF and external services.	Yes, if the application uses SSO between MPF and external services.	Use SSO between MPF and external services
Client side logging
	<application root context>/apps/services/loguploader/*	Used by client applications to upload their accumulated debug and analytics logs.	Yes	Client-side log capture
	<application root context>/apps/services/configprofile/*	Used by client applications to GET their log configuration, which the admin set via the Log Configuration tab in the MPF operations console.	Yes	Client-side log capture
Dev
	<application root context>/dev/*	Development service API such as /invoke, /appdata, /preview, and others. Used in development environments only.	No, only for the development environment and not for QA, pre-production, or production.
USSD
	<application root context>/ussd/*	Used for communication with the USSD (Unstructured Supplementary Service Data ) gateway.	Yes	USSD Support