Skip to main content
This guide walks you through the two things every CDN deployment needs: serving your RSL license at your domain, and enforcing the Crawler Authentication Protocol (CAP) to protect your content from unlicensed crawlers. This is a general guide. Specific guidance for each CDN is available:

Fastly

VCL and Compute, including service chaining.

CloudFront

CloudFront Functions, Lambda@Edge, and Terraform.

Cloudflare

Workers for RSL and CAP enforcement.

Other CDNs

Generic patterns for any platform.

Before You Start

You need:
  • A Supertab Connect merchant accountcontact sales to sign up
  • A Website registered in the Supertab Connect dashboard with your domain’s base URL
  • Your Website URN — found in your Website settings, e.g urn:stc:merchant:system:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • A Merchant API key — generated under Website Details → API Keys in the dashboard
  • Access to your CDN configuration for the domain you want to protect

Part 1: Serve Your RSL License

Your RSL license needs to be accessible at https://yourdomain.com/license.xml. Supertab Connect hosts the license content — your CDN proxies the request to our origin and rewrites the URL so it stays on your domain. 1. Add Supertab Connect as an Origin Add api-connect.supertab.co as an origin (sometimes called a backend, upstream, or host) with HTTPS on port 443. 2. Add routing for /license.xml Create a rule, behavior, or condition that matches requests to /license.xml exactly and directs them to the Supertab Connect origin. 3. Add a URL rewrite Before the request reaches the origin, rewrite the path to include your Website URN: 
/license.xml  →  /merchants/systems/YOUR_WEBSITE_URN/license.xml
e.g in a JS based runtime 
if (request.path === "/license.xml") {
  request.path = "/merchants/systems/YOUR_WEBSITE_URN/license.xml";
}
Your CDN must send Host: api-connect.supertab.co to the origin — not your own domain. If you see 502 errors, check the host header override setting.
Verify it works: visit https://yourdomain.com/license.xml in your browser and confirm you see your RSL license XML.

Part 2: Run the Supertab Connect SDK

The SDK validates the Authorization: License <token> header on crawler requests. You deploy it as an edge worker or function that runs before your origin.

Install the SDK

npm install @getsupertab/supertab-connect-sdk

Wire the request handler

Instantiate SupertabConnect once (it’s a singleton) and call handleRequest on each incoming request. The SDK handles bot detection, token extraction, JWT verification, enforcement, and analytics recording. You act on the result: 
import { SupertabConnect, EnforcementMode, HandlerAction } from "@getsupertab/supertab-connect-sdk";

const connect = new SupertabConnect({
  apiKey: YOUR_API_KEY, // best practice is to retrieve the key from your CDNs secret store.
  enforcement: EnforcementMode.SOFT,
  botDetector: (request) => {
    // optional — extend or replace the built-in UA heuristics
    const ua = request.headers.get("User-Agent") || "";
    return ua.includes("MyBot");
  },
});

// In your request handler:
const result = await connect.handleRequest(request);

if (result.action === HandlerAction.BLOCK) {
  return new Response(result.body, {
    status: result.status,
    headers: result.headers,
  });
}

// ALLOW — forward to origin
return fetch(request);

Configure the essentials

API key — Your Merchant API key from the Supertab Connect dashboard, stored as a secret in your CDN’s secret management system. Never hardcode it. Bot detection — The SDK includes built-in user-agent heuristics to identify crawler traffic. You can extend or override them by passing a botDetector function with your own signals: 
const isBot = (request) => {
  const ua = request.headers.get("User-Agent") || "";
  return ua.includes("MyCustomBot") || ua.includes("Scraper");
};

const connect = new SupertabConnect({
  apiKey: YOUR_API_KEY,
  enforcement: EnforcementMode.SOFT,
  botDetector: isBot
});
Enforcement mode — Start with SOFT (the default), which allows all traffic through but logs validation events. This lets you observe which requests would be blocked before enabling hard enforcement. Switch to STRICT once you are confident in your bot detection: 
import { EnforcementMode } from "@getsupertab/supertab-connect-sdk";

// DISABLED: no enforcement, signaling, or analytics — use during initial integration
// SOFT (default): allow all traffic, log events, attach licensing headers
// STRICT: block bots without a valid license token with a 401
Deploy in SOFT mode first. If your bot detection is too broad, STRICT enforcement could block legitimate human visitors. Review your traffic patterns before switching.

Part 3: Update robots.txt

Add a License: directive to your robots.txt so crawlers can discover your license: 
License: https://yourdomain.com/license.xml
The URL must be fully qualified. Place it at the top of the file, before any User-agent: directives. Example: 
License: https://yourdomain.com/license.xml

User-agent: *
Allow: /

Sitemap: https://yourdomain.com/sitemap.xml

Cache Invalidation

Your CDN will cache the license response. If you update your license and need the change reflected immediately, purge https://yourdomain.com/license.xml from your CDN’s cache.

CDN-Specific Guides

Each reference page covers the full setup for that platform — origins, behaviors, functions, Terraform configs, and SDK integration patterns.

Fastly

VCL and Compute service options, including VCL-to-Compute service chaining.

CloudFront

CloudFront Functions for RSL, Lambda@Edge for CAP, with a Terraform alternative.

Cloudflare

Worker-based RSL proxy and SDK Worker for CAP enforcement.

Other CDNs

Generic patterns for any CDN not listed above.