Management API - Configuration
Use these endpoints to read and update tenant security configuration, inspect available controls, promote configuration between deployment versions, and publish live configuration for supported protected apps.
Use the same rollout discipline you use in the portal: edit Development first, validate protected builds, promote to Staging, and move to Production only after approval.
Integration Notes
| Need | Recommendation |
|---|---|
| Change control | Record who or what changed configuration, the version, control name, and reason. |
| Environment safety | Avoid writing directly to Production from automation unless an approval process exists. |
| Control discovery | Read the relevant config_options_* endpoint before writing controls. Control names and minimum plans come from those responses. |
| Partial updates | config_update updates one control per request. Read back /frontend/config after updates. |
| Build validation | Build and test a protected artifact after changing build-time controls. |
Configuration Model
Configuration is stored per version:
developmentstagingproduction
Each saved control is stored as an object whose key is the control value from the options endpoints. Binary controls use protection; response controls use detection plus an action.
[
{
"OverlayPrevention": {
"protection": true,
"platform": "android"
}
},
{
"RootDetectionResponse": {
"detection": true,
"action": "die",
"platform": "both"
}
}
]platform is optional. When present, it must be android, ios, or both.
Get Current Configuration
Retrieve the full saved configuration for a version.
POST /frontend/configPermission: None (read-only)
Request Body:
{
"version": "production"
}| Field | Type | Required | Description |
|---|---|---|---|
version | String | Yes | development, staging, or production. |
Response:
{
"config": [
{
"RootDetectionResponse": {
"detection": true,
"action": "die",
"platform": "android"
}
},
{
"OverlayPrevention": {
"protection": true,
"platform": "android"
}
}
]
}If the version has no saved controls, config is an empty array.
Update One Control
Create, update, or remove one control in one version.
POST /frontend/config_updatePermission: Configuration
Request Body:
{
"version": "production",
"name": "RootDetectionResponse",
"config": {
"detection": true,
"action": "die",
"platform": "android"
}
}| Field | Type | Required | Description |
|---|---|---|---|
version | String | Yes | development, staging, or production. |
name | String | Yes | Control value from one of the options endpoints, such as RootDetectionResponse or OverlayPrevention. |
config | Object | Yes | Control settings. Shape depends on whether the option is binary or response. |
Response:
{
"success": true
}Binary Controls
Options with type: "binary" use protection.
{
"version": "production",
"name": "OverlayPrevention",
"config": {
"protection": true,
"platform": "android"
}
}Set protection to false to remove that control from the saved configuration.
Response Controls
Options with type: "response" use detection.
{
"version": "production",
"name": "RootDetectionResponse",
"config": {
"detection": true,
"action": "die",
"platform": "android"
}
}Set detection to false to remove that control from the saved configuration.
| Action | Required Fields | Behavior |
|---|---|---|
log | detection, action | Record/report the event and allow the app to continue. |
die | detection, action | Stop the protected app flow when the control triggers. |
redirect | detection, action, redirects | Redirect to the single URL in redirects. |
message | detection, action, title, message, buttons, actions, redirects | Show a custom message. buttons and actions must have matching lengths; redirects must contain one URL for each redirect action. |
Payload Limits
Configuration limits are measured in UTF-8 bytes. For aggregate JSON limits, the compact JSON payload counts, including field names, punctuation, arrays, URLs, and configured text.
| Payload | Limit |
|---|---|
Message title | 8 KB (8,192 bytes) |
Message message body | 16 KB (16,384 bytes) |
Each message buttons value | 8 KB (8,192 bytes) |
Saved message response configuration | 9 MB (9,437,184 bytes) |
| Complete saved version configuration | 9 MB (9,437,184 bytes) |
Requests over these limits return 400 with a validation error. Very large HTTP request bodies can also be rejected by the API edge before application validation runs.
Redirect example:
{
"version": "production",
"name": "RootDetectionResponse",
"config": {
"detection": true,
"action": "redirect",
"redirects": ["https://example.com/security"],
"platform": "android"
}
}Message example:
{
"version": "production",
"name": "RootDetectionResponse",
"config": {
"detection": true,
"action": "message",
"title": "Security check failed",
"message": "This device does not meet your organization's security requirements.",
"buttons": ["Close", "Learn more"],
"actions": ["die", "redirect"],
"redirects": ["https://example.com/security"],
"platform": "android"
}
}Validation is based on the current control options and tenant plan. If a control's minimum_plan is higher than the tenant plan, the update is rejected.
Promote Configuration
Copy the full configuration from one version to the next approved version. App Integrity configurations for the source version are copied with the same promotion.
POST /frontend/promote_configPermission: Configuration Plan: Team+
Request Body:
{
"source_version": "staging",
"target_version": "production"
}Only these promotion directions are valid:
| Source | Target |
|---|---|
development | staging |
staging | production |
Response:
{
"success": true
}Push Live Configuration
Publish the selected version's live configuration package for already-protected apps that were built with live configuration support.
POST /frontend/push_live_configPermission: Configuration Plan: Enterprise
Request Body:
{
"version": "production"
}Response:
{
"success": true
}Build-time-only changes, such as adding new controls or changing obfuscation/build settings, still require a new protected build. When Certificate Pinning is configured to use built-in trusted CAs, the live package merges the current global trusted CA list at publish time.
Get Available Control Options
These read-only endpoints return the controls currently available to the tenant. Use the value field as the name in config_update.
| Endpoint | Description |
|---|---|
GET /frontend/config_options_detection | Detection and response controls. |
GET /frontend/config_options_prevention | Binary prevention controls. |
GET /frontend/config_options_connection_controls | Transport, certificate, and network controls. |
GET /frontend/config_options_additional_features | Telemetry, lifecycle, and additional feature controls. |
GET /frontend/config_options_obfuscation | Obfuscation controls. |
GET /frontend/config_options_build_settings | Build settings such as architecture inclusion controls. |
Response Pattern:
{
"config_options_detection": [
{
"name": "Device Integrity",
"description": "Detect compromised or non-standard runtime environments.",
"details": [
{
"title": "Root Detection",
"description": "Detect rooted Android devices or jailbroken iOS devices.",
"value": "RootDetectionResponse",
"type": "response",
"support": [
{ "android": { "supported": true, "version": "all" } },
{ "apple": { "supported": true, "version": "all" } }
],
"minimum_plan": "FREE"
}
]
}
]
}Each options endpoint uses a response key matching the endpoint name, for example config_options_prevention or config_options_build_settings.
Build Settings Options
GET /frontend/config_options_build_settings returns build-settings toggles available in the current tenant configuration. Current options include:
| Value | Platform | Description |
|---|---|---|
IncludeX86Architectures | Android | Keep x86 and x86_64 slices in the protected APK or AAB for emulators, Chromebooks, and x86 Android devices. |
IncludeSimulatorArchitectures | iOS | Build the simulator variant of MobileDefender so protected apps can run in the iOS Simulator. |
The endpoint returns an empty array when no build settings are available.
Trusted Root CAs
Return the global trusted root CA entries available for Certificate Pinning built-in CA configuration.
GET /frontend/trusted_root_casPermission: None (read-only)
Response:
{
"trusted_root_cas": [
{
"name": "DigiCert Global Root G2",
"thumbprint": "CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F",
"algorithm": "sha256",
"expires": 2147483647,
"domains": ["*"],
"isca": true,
"isdefault": true
}
]
}The trusted root CA list is managed by AppTego and consumed by Certificate Pinning when use_builtin_cas is enabled for that control.