AxioRankDocs
Integrations

Drupal

Verify the AI agents that reach your Drupal REST, JSON:API, admin, and dynamic endpoints with the AxioRank Agent Verification module. A thin client of the inbound verify endpoint, with monitor and enforce modes.

Most AxioRank integrations govern the calls your agents make outbound. The Drupal module is on the inbound side: it verifies the AI agents reaching into a website surface you operate. It is a thin client of the verify endpoint, so each protected request is forwarded as one authenticated POST to /api/gateway/verify-request and the verdict is applied in Drupal. There is no local model to run.

An API verifier, not a crawler blocker

Fully page-cached pages are served before the Drupal kernel bootstraps, so the module never sees them. That is by design: it governs the surface that actually reaches PHP, your JSON:API (/jsonapi), core REST, login, admin, search, and any signed or bot-like request. To challenge crawlers on cached pages, verify at the edge in front of the cache.

Install

  1. Register a website surface in AxioRank under Settings, Surfaces (or with POST /api/surfaces) and copy its site key (axr_site_...), distinct from your agent key.

  2. Add the AxioRank Agent Verification module and enable it:

    composer require drupal/axiorank
    drush en axiorank
  3. Open Configuration, Web services, AxioRank Agent Verification (/admin/config/services/axiorank) and paste the site key, or define it in settings.php for better hygiene:

    $settings['axiorank_site_key'] = 'axr_site_...';
  4. Leave the mode on Monitor, save, and use Test connection to confirm AxioRank is reachable.

What gets verified

The module only forwards requests worth checking, so ordinary anonymous page views never call out:

  • Any request carrying Web Bot Auth signature headers (always verified).
  • An enabled sensitive endpoint: JSON:API (/jsonapi), core REST (?_format=json or hal_json), login and password routes, admin paths, or search. Each is a toggle on the settings page.
  • Any request with a bot-like user agent, which catches crawlers that reach the kernel on a cache miss.

Each verified request is scored and logged in your AxioRank dashboard with the agent identity, verification method, and risk, exactly like any other inbound surface request.

Monitor first, then enforce

A surface starts in monitor posture: AxioRank computes and logs the verdict, but nothing is blocked. Watch the audit log to see what would have been challenged or blocked, then set both the AxioRank surface and the module to enforce. The module acts only when the response's own enforced flag is true, so the surface posture stays authoritative:

  • block returns 403 (a JSON body for JSON:API and REST requests).
  • challenge returns 401.

Fail-open by design

Verification sits in the hot path of your own site, so it fails open. Only a rejected site key raises an administrator warning; any timeout or transport failure resolves to an allow, so a verification outage never takes Drupal down.

Next steps

  • Inbound surfaces: the model behind the website surface.
  • Policies: scope inbound decisions by operation and agent.
  • Gateway API: the raw verify-request contract the module speaks.

On this page