# Schema Overview EaaS (Edge as a Service) is a tenant configuration system for Akamai's edge platform. Each tenant — typically identified by a hostname — gets a single JSON configuration file that controls delivery behavior (caching, routing, headers) and security policies (WAF rules, IP blocking, rate limiting). When a request arrives at the Akamai edge, an EdgeWorker reads the tenant's configuration and applies it in real time. Changes take effect on the next request — no property activation or deployment step needed. ## Configuration Structure A tenant configuration has four top-level sections. Only configure what you need — all are optional. ``` tenant.json ├── tenant_id Identifies the tenant in logs and analytics ├── lists Named value lists referenced in match rules ├── delivery_config │ ├── version Always "1.0" │ ├── onClientRequest │ │ └── features Caching, routing, headers, redirects... │ ├── onOriginResponse │ │ └── features Response headers, cache tags... │ └── onClientResponse │ └── features Client-facing headers, compression... └── security_config WAF rules, IP blocking, rate limiting ``` ### Minimal Working Config The smallest useful config routes traffic to your origin: ```json { "tenant_id": "my-app", "delivery_config": { "version": "1.0", "onClientRequest": { "features": { "route": { "rules": [{ "args": { "originId": "default_eaas" }, "pm_variables": { "RT_ORIGIN_DNS": "origin.example.com", "RT_ORIGIN_HOST_HEADER": "origin.example.com" } }] } } } } } ``` Add caching, security, headers, and other features as needed. Here's a more complete example: ```json { "tenant_id": "my-app", "delivery_config": { "version": "1.0", "onClientRequest": { "features": { "caching": { "rules": [{ "matchAll": { "paths": ["/api/*"] }, "args": { "ttl_seconds": 3600 } }] }, "route": { "rules": [{ "args": { "originId": "default_eaas" }, "pm_variables": { "RT_ORIGIN_DNS": "origin.example.com" } }] } } } }, "security_config": { "deny_groups": ["SQL-INJECTION-ANOMALY", "XSS-ANOMALY"] } } ``` This config caches `/api/*` responses for one hour, routes to a custom origin, and enables SQL injection and XSS protection. ## Rule Structure Most features use a **rule-based structure** — a list of rules where the first match wins: ```json { "feature_name": { "rules": [ { "matchAll": { "paths": ["/api/*"] }, "args": { /* feature-specific options */ } } ] } } ``` Some features also accept a simple value (e.g., `"connectTimeout": 5000`) when no conditional logic is needed. ### Match Conditions Match conditions determine **when** a rule fires. Three operators control how conditions combine: | Operator | Behavior | |---|---| | `matchAll` | All conditions must match (AND) | | `matchAny` | Any condition must match (OR) | | `matchNone` | No conditions must match (NOT) | See [Match Conditions](/tenant-schemas/match-conditions) for the full list of conditions and examples. ## Available Features Each event handler supports different features. Click a feature name to see its full documentation. See [Delivery Configuration](/tenant-schemas/delivery-config) for detailed documentation and examples for each feature. ## Tenant Identification The `tenant_id` property identifies the tenant in datastream logs and analytics. It is defined at the top level — outside `delivery_config` and `security_config`. `tenant_id` accepts either a single string or an array of up to 5 strings. Each value must be at most 20 characters long and cannot contain "|" or "," characters. For a single tenant: ```json { "tenant_id": "my-tenant" } ``` For multiple tenant IDs (up to 5): ```json { "tenant_id": ["tenant-a", "tenant-b", "analytics-group"] } ``` [View Schema Definition](/tenant-schema.html#tenant_id) > **NOTE** Migration from tenantTag The `tenant_id` property replaces the deprecated `tenantTag` feature that was previously nested inside `delivery_config.onClientRequest.features`. Unlike `tenantTag`, `tenant_id` is a top-level property. ## Lists The `lists` property defines named lists of string values that can be referenced inside match conditions using the `{{list.}}` syntax. This lets you define a set of values once and reuse it across multiple rules, avoiding duplicated values across rules and making updates easier. ```json { "lists": { "blocked_ips": ["192.0.2.0/24", "198.51.100.0/24"], "api_paths": ["/api/v1/*", "/api/v2/*"], "bot_agents": ["curl/7*", "python-requests*"] }, "delivery_config": { "version": "1.0", "onClientRequest": { "features": { "respondWith": { "rules": [{ "matchAll": { "ipv4": "{{list.blocked_ips}}" }, "args": { "status": 403, "body": "Forbidden" } }] }, "caching": { "rules": [{ "matchAll": { "paths": "{{list.api_paths}}" }, "args": { "ttl_seconds": 60 } }] } } } } } ``` List references work in any match condition value — strings, arrays, and header/query objects. You can also mix list references with inline values: ```json { "matchAll": { "ipv4": ["{{list.blocked_ips}}", "203.0.113.0/24"], "reqheader": { "User-Agent": "{{list.bot_agents}}" } } } ``` Lists can also be defined in a shared **common config** (`common.json`), making them available across all tenants. Local tenant lists take precedence over common lists when both define the same key. See the [Release 1.12.0 notes](/tenant-schemas/releases/1.12.0) for full details on common config setup. [View Schema Definition](/tenant-schema.html#lists) ## Next Steps - [Delivery Configuration](/tenant-schemas/delivery-config) — configure caching, routing, headers, and more - [Match Conditions](/tenant-schemas/match-conditions) — target rules by path, IP, geography, headers - [Security Configuration](/tenant-schemas/security-config) — WAF rules, IP blocking, bot detection - [Best Practices](/best-practices) — rule ordering, testing, debug headers, schema limits - [Configuration Examples](/examples) — real-world patterns you can copy - [Tenant Validator](/validator) — validate your config against the schema