Drupal
Verify the AI agents that reach your Drupal REST, JSON:API, admin, and dynamic endpoints with the AxioRank Agent Verification module. A thin client of the inbound verify endpoint, with monitor and enforce modes.
Most AxioRank integrations govern the calls your agents make outbound. The
Drupal module is on the inbound side: it verifies the AI agents reaching into
a website surface you operate. It is a thin client of
the verify endpoint, so each protected request is forwarded as one authenticated
POST to /api/gateway/verify-request and the verdict is applied in Drupal. There
is no local model to run.
An API verifier, not a crawler blocker
Fully page-cached pages are served before the Drupal kernel bootstraps, so the
module never sees them. That is by design: it governs the surface that actually
reaches PHP, your JSON:API (/jsonapi), core REST, login, admin, search, and
any signed or bot-like request. To challenge crawlers on cached pages, verify at
the edge in front of the cache.
Install
-
Register a
websitesurface in AxioRank under Settings, Surfaces (or withPOST /api/surfaces) and copy its site key (axr_site_...), distinct from your agent key. -
Add the AxioRank Agent Verification module and enable it:
composer require drupal/axiorank drush en axiorank -
Open Configuration, Web services, AxioRank Agent Verification (
/admin/config/services/axiorank) and paste the site key, or define it insettings.phpfor better hygiene:$settings['axiorank_site_key'] = 'axr_site_...'; -
Leave the mode on Monitor, save, and use Test connection to confirm AxioRank is reachable.
What gets verified
The module only forwards requests worth checking, so ordinary anonymous page views never call out:
- Any request carrying Web Bot Auth signature headers (always verified).
- An enabled sensitive endpoint: JSON:API (
/jsonapi), core REST (?_format=jsonorhal_json), login and password routes, admin paths, or search. Each is a toggle on the settings page. - Any request with a bot-like user agent, which catches crawlers that reach the kernel on a cache miss.
Each verified request is scored and logged in your AxioRank dashboard with the agent identity, verification method, and risk, exactly like any other inbound surface request.
Monitor first, then enforce
A surface starts in monitor posture: AxioRank computes and logs the verdict,
but nothing is blocked. Watch the audit log to see what
would have been challenged or blocked, then set both the AxioRank surface and the
module to enforce. The module acts only when the response's own enforced
flag is true, so the surface posture stays authoritative:
blockreturns403(a JSON body for JSON:API and REST requests).challengereturns401.
Fail-open by design
Verification sits in the hot path of your own site, so it fails open. Only a rejected site key raises an administrator warning; any timeout or transport failure resolves to an allow, so a verification outage never takes Drupal down.
Next steps
- Inbound surfaces: the model behind the
websitesurface. - Policies: scope inbound decisions by operation and agent.
- Gateway API: the raw
verify-requestcontract the module speaks.
WordPress
Verify the AI agents that reach your WordPress REST API, admin, and dynamic endpoints with the AxioRank Agent Verification plugin. A thin client of the inbound verify endpoint, with monitor and enforce modes.
Shopify
Verify the AI agents that browse and buy on your Shopify store with the AxioRank Agent Verification app. A thin client of the inbound verify endpoint, with monitor and enforce modes and order-level enforcement.