AxioRankDocs
Integrations

Backdrop CMS

Verify the AI agents that reach your Backdrop CMS login, admin, search, AJAX, and API endpoints with the AxioRank Agent Verification module. A thin client of the inbound verify endpoint, with monitor and enforce modes and in-admin rule management.

Most AxioRank integrations govern the calls your agents make outbound. The Backdrop CMS module is on the inbound side: it verifies the AI agents reaching into a website surface you operate. It is a thin client of the verify endpoint, so each protected request is forwarded as one authenticated POST to /api/gateway/verify-request and the verdict is applied in Backdrop. There is no local model to run. It is the Backdrop counterpart of the WordPress plugin and the Drupal module.

An API verifier, not a crawler blocker

Fully page-cached pages are served before Backdrop bootstraps, so the module never sees them (hook_init does not run on cached pages). That is by design: it governs the surface that actually reaches PHP, your login, admin, search, AJAX, XML-RPC, and API endpoints, and any signed or bot-like request. To challenge crawlers on cached pages, verify at the edge in front of the cache.

Install

  1. Register a website surface in AxioRank under Settings, Surfaces (or with POST /api/surfaces) and copy its site key (axr_site_...), distinct from your agent key. To manage rules from Backdrop, use a site key that also carries the management scope.

  2. Add the AxioRank Agent Verification module from the Backdrop project browser (or drop it in modules/) and enable it.

  3. Open Configuration, Web services, AxioRank Agent Verification (admin/config/services/axiorank) and paste the site key, or define it in settings.php for better hygiene:

    $settings['axiorank_site_key'] = 'axr_site_...';
  4. Leave the mode on Monitor, save, and use Test connection to confirm AxioRank is reachable.

What gets verified

The module only forwards requests worth checking, so ordinary anonymous page views never call out:

  • Any request carrying Web Bot Auth signature headers (always verified).
  • An enabled sensitive endpoint: login and password routes, admin paths, search, Backdrop AJAX (system/ajax), xmlrpc.php, or your API path prefix. Each is a toggle on the settings page.
  • Any request with a bot-like user agent, which catches crawlers that reach PHP on a cache miss.

Each verified request is scored and logged in your AxioRank dashboard with the agent identity, verification method, and risk, exactly like any other inbound surface request.

Manage agent rules in Backdrop

The Agents tab (admin/config/services/axiorank/agents) reads and writes your surface's real AxioRank inbound policies through a site-key-scoped API, so you can govern agents without leaving Backdrop:

  • Set the AxioRank surface posture to monitor or enforce.
  • Add rules that allow, challenge, or block by known agent, category, verification status, or risk threshold.
  • Delete rules you no longer need.

This needs a site key with the management scope. A verify-only key can still verify traffic; the Agents tab will prompt you to reconnect with a management-enabled key. Every call is scoped server-side to your own surface.

Monitor first, then enforce

A surface starts in monitor posture: AxioRank computes and logs the verdict, but nothing is blocked. Watch the audit log to see what would have been challenged or blocked, then set both the AxioRank surface and the module (the mode on the settings page) to enforce. The module acts only when the response's own enforced flag is true, so the surface posture stays authoritative:

  • block returns 403 (a JSON body for API and AJAX requests).
  • challenge returns 401.

Fail-open by design

Verification sits in the hot path of your own site, so it fails open. Only a rejected site key raises an administrator warning; any timeout or transport failure resolves to an allow, so a verification outage never takes Backdrop down.

Next steps

  • Inbound surfaces: the model behind the website surface.
  • Policies: scope inbound decisions by operation and agent.
  • Gateway API: the raw verify-request contract the module speaks.

On this page