API Endpoint Domain: Setup and Best Practices
Running an API on a dedicated subdomain like api.is-pro.dev is a common pattern for modern web applications. It keeps your API separate from your frontend, simplifies CORS configuration, and allows independent scaling. This guide covers everything you need to set up and secure your API endpoint with a free is-pro.dev subdomain.
Why Use a Dedicated API Domain
Separating your API onto its own subdomain offers several advantages:
- Clean separation of concerns between your frontend and backend
- Simplified CORS configuration since the frontend domain differs from the API domain
- Independent scaling — your API can be hosted on different infrastructure from your frontend
- Professional URL structure like
api.project.is-pro.dev api.is-pro.devfor a general APIapi.your-project.is-pro.devfor project-specific APIsgraphql.is-pro.devfor GraphQL endpointsv1.api.is-pro.devfor versioned APIs- Health check endpoint at /health
returning status and uptime - Structured logging with correlation IDs for request tracking
- Uptime monitoring with services like UptimeRobot (free tier: 50 monitors)
- Error tracking with Sentry (free tier available)
Choosing Your API Subdomain
Common naming patterns for API subdomains:
Register your chosen subdomain at dash.is-pro.dev.
DNS Configuration for APIs
For API servers, you typically need an A record pointing to your server's IP address:
``
Type: A
Name: api
IPv4: your-server-ip
Proxy Status: DNS only (gray cloud) for TCP-based APIs, Proxied (orange cloud) for HTTP APIs
`
If your API is hosted on a platform like Railway, Render, or Fly.io, use a CNAME record instead pointing to the platform's provided domain.
SSL for API Endpoints
HTTPS is essential for APIs to protect data in transit. Configuration options:
Cloudflare Proxy (orange cloud): SSL is handled automatically by Cloudflare. Your API is served over HTTPS with Cloudflare's shared certificate. This works well for REST and GraphQL APIs over HTTP/HTTPS.
Let's Encrypt: For direct SSL termination on your server, use Certbot:
`bash
sudo certbot --nginx -d api.is-pro.dev
`
Caddy: Automatically provisions and renews SSL certificates:
`
api.is-pro.dev {
reverse_proxy localhost:3000
}
`
CORS Configuration
When your frontend is on a different domain than your API, configure CORS headers:
Node.js (Express):
`javascript
const cors = require('cors');
app.use(cors({
origin: ['https://app.is-pro.dev', 'https://your-frontend.vercel.app'],
methods: ['GET', 'POST', 'PUT', 'DELETE'],
credentials: true
}));
`
Python (FastAPI):
`python
from fastapi.middleware.cors import CORSMiddleware
app.add_middleware(CORSMiddleware,
allow_origins=["https://app.is-pro.dev"],
allow_methods=["*"],
allow_headers=["*"])
`
Go (Gin):
`go
r.Use(cors.New(cors.Config{
AllowOrigins: []string{"https://app.is-pro.dev"},
AllowMethods: []string{"GET", "POST", "PUT", "DELETE"},
}))
`
Rate Limiting
Protect your API from abuse with rate limiting:
Cloudflare Rate Limiting: Configure in the Cloudflare dashboard under Security → WAF → Rate Limiting. Free plan allows 10 rules. Set thresholds based on your API's expected usage patterns.
Application-level limiting: Use middleware in your framework:
`javascript
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 60 1000,
max: 100,
message: { error: 'Too many requests' }
});
app.use('/api/', limiter);
`
API Documentation
Make your API discoverable with documentation:
OpenAPI/Swagger: Define your API schema in OpenAPI 3.0 format. Host the documentation on a subpath of your API domain:
`
https://api.is-pro.dev/docs
`
Postman: Create a public workspace with collection and environment templates. Link to it from your API's root endpoint.
Response headers: Include API version, rate limit status, and documentation links in response headers.
Monitoring and Logging
Set up basic monitoring for your API:
Troubleshooting
CORS errors: Verify that your CORS configuration includes the exact origin of your frontend (including protocol and port if applicable). Use curl -H "Origin: https://app.is-pro.dev" -I https://api.is-pro.dev/endpoint to test.
SSL handshake failures for proxied APIs: If using Cloudflare proxy (orange cloud), ensure your origin server accepts connections from Cloudflare's IP ranges. These are published in Cloudflare's documentation.
Rate limiting too aggressive: Monitor your API usage patterns before setting limits. Start with generous limits and tighten based on observed traffic.
FAQ
Q: Can I use WebSockets with a proxied Cloudflare domain?
A: Yes, Cloudflare supports WebSocket connections through proxied DNS. Ensure your server supports WebSocket upgrades.
Q: How do I version my API?
A: Include the version in the URL path (/v1/users) or use a separate subdomain (v1.api.is-pro.dev`). Path-based versioning is simpler to configure.
Q: Can I use HTTP/2 for my API?
A: Yes, Cloudflare supports HTTP/2 automatically for proxied domains. Enable it in the Speed settings.
Conclusion
Setting up an API endpoint on a dedicated is-pro.dev subdomain gives you a professional, scalable architecture at zero cost. Configure DNS, enable SSL, set up CORS, implement rate limiting, and document your endpoints. Your API will be production-ready and accessible worldwide.