How-to

Setting Up Your First Logpush Source

Create a source, get your ingest URL and secret, and configure eCDN Logpush via the CDN Zones API.

5 min readLast updated 26 April 2026

Jump to section

What you need
Prerequisites: Set up an API Client in Account Manager
Get an access token
Step 1: Create a source in Edge
Step 2: Create a Logpush job via the CDN Zones API
Authentication
Recommended fields
Step 3: Enable the Logpush job
Step 4: Verify data is flowing
Troubleshooting

What you need

Access to the Blankitt Edge dashboard
A Salesforce Commerce Cloud Account Manager login with API Client permissions
Your SFCC Organization ID (found in Account Manager under Organizations)

Prerequisites: Set up an API Client in Account Manager

Before you can configure Logpush, you need an API Client in SFCC Account Manager that has access to the CDN Zones API.

Log in to Account Manager (production) or your sandbox Account Manager
Go to API Client in the left sidebar
Click Add API Client
Fill in the top section:
- Display Name: e.g. "Blankitt Edge Logpush"
- Password: generate a strong password — this becomes your client_secret
Scroll down to the OpenID Connect section and configure:
- Default Scopes: clear the default (mail) and enter sfcc.cdn-zones.rw (note: hyphens, not dots)
- Allowed Scopes: enter sfcc.cdn-zones.rw
- Redirect URIs: leave empty (not needed for machine-to-machine auth)
- Token Endpoint Auth Method: change the dropdown from private_key_jwt to client_secret_post
Leave the JWT section empty (the Client JWT Bearer Public Key field is not needed with client_secret_post)
Under Organizations, add your org and grant the sfcc.cdn-zones.rw scope
Click Save and note the Client ID shown at the top of the page

You now have a client_id and client_secret (the password you set) that can authenticate against the SFCC token endpoint and call CDN Zones endpoints.

Get an access token

All CDN Zones API calls require a Bearer token. Obtain one via the SFCC token endpoint:

curl -X POST https://account.demandware.com/dwsso/oauth2/access_token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>"

The response contains an access_token (valid for 30 minutes). Use it in the Authorization: Bearer header for all subsequent API calls.

Step 1: Create a source in Edge

Navigate to Sources in the sidebar
Click New source
Choose a deployment mode: Cloud (Logpush sends data to Blankitt's cloud) or On-prem agent (data stays on your network)
Enter a display name (e.g. "Production" or "RefArch / Production") and optionally the SFCC realm ID
Click Create source
The modal shows your Ingest URL and Ingest Secret — copy both immediately
Click "What's next?" to see the setup guide on the source detail page

The secret is shown once. After you close the modal it cannot be recovered. If you lose it, use the Rotate Secret button to generate a new one.

Step 2: Create a Logpush job via the CDN Zones API

SFCC merchants configure Logpush through the CDN Zones API, not the Cloudflare dashboard directly.

Use the API to create a new Logpush job with these settings:

Setting	Value
Log type	`http_requests`
Destination type	HTTPS
Destination URL	Your per-source ingest URL from step 1
Custom header	`header_Authorization: Bearer <your-secret>` (passed as a URL parameter for HTTPS destinations)

Authentication

Edge supports two authentication methods:

Static bearer token (recommended): Set the Authorization: Bearer <your-secret> header via the HTTPS destination URL parameter. This is the simplest method and works with SFCC eCDN Logpush.
HMAC signature: Set the X-Edge-Signature header with the HMAC-SHA256 of each batch body signed with your secret. More secure but requires the Logpush client to compute the signature per batch.

Recommended fields

Select all fields for maximum detector coverage, or at minimum include:

EdgeStartTimestamp, ClientIP, ClientCountry, ClientASN, ClientRequestPath, ClientRequestUserAgent, EdgeResponseStatus, EdgeResponseBytes, OriginResponseStatus, OriginResponseDurationMs, CacheCacheStatus, EdgeColoCode, ClientSSLProtocol, ClientSSLCipher, BotScore, BotScoreSrc, SecurityActions, SecurityRuleIDs

Key fields for specific detectors:

BotScore + BotScoreSrc — enables the Bot Score detector (automated traffic detection)
SecurityActions — enables the Challenge Solving detector (post-mitigation evasion)
CacheCacheStatus — enables the Cache Bypass detector
ClientSSLProtocol — enables the TLS Weak Protocol detector

Step 3: Enable the Logpush job

Important: Logpush jobs are not enabled upon creation. Use the CDN Zones API to enable the job after creating it. Once enabled, batches will start arriving within 60 seconds.

Note: SFCC eCDN supports a maximum of two Logpush jobs per zone. Plan your job configuration accordingly.

Step 4: Verify data is flowing

After enabling the Logpush job, wait 60 seconds then check:

The source detail page shows "Last seen Xs ago"
The Overview page populates with traffic data
The setup guide on the source detail page shows "Logpush connected — data flowing"

Troubleshooting

Symptom	Cause	Fix
Source shows "Never seen"	Logpush job not enabled, or destination URL is wrong	Verify the job is enabled via the CDN Zones API. Check the destination URL matches your ingest URL exactly.
401 errors in Logpush logs	Invalid or missing secret	Check the `Authorization: Bearer` header value matches your ingest secret. If lost, rotate the secret in Edge.
429 errors	Rate limited (batches arriving too fast)	Edge enforces a 2-second minimum gap between batches. SFCC eCDN pushes at a fixed frequency which should not trigger this.
Data appears but detectors don't fire	Insufficient data volume	Most detectors have minimum request floors (1,000–10,000). Wait for enough traffic to accumulate, or lower the floor on the Rules page.
Missing bot score data	BotScore field not included	Add `BotScore` and `BotScoreSrc` to your Logpush field selection for Bot Score detector coverage.