---
title: Out-of-context decoy API
description: Out-of-context decoy APIs are independent APIs where every path is a decoy API. Any sub-paths accessed in the API are treated as part of the decoy API.
component: pingintelligence
version: 5.2
page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_out_of_context_decoy_api
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_out_of_context_decoy_api.html
revdate: June 4, 2024
---

# Out-of-context decoy API

Out-of-context decoy APIs are independent APIs where every path is a decoy API. Any sub-paths accessed in the API are treated as part of the decoy API.

![Diagram of ASE blocking attackers through decoy APIs](../_images/nhx1564009028148.png)

The following is a snippet of a trading API JSON file which has been deployed as a decoy API:

```json
{
    "api_metadata": {
        "protocol": "http",
        "url": "/account",
        "hostname": "*",
;
; Note – other configuration parameters removed
;
        "decoy_config":
        {
          "decoy_enabled": true,
          "response_code" : 200,
          "response_def" : "OK",
          "response_message" : "OK",          Decoy API Configuration
          "decoy_subpaths": [

          ]
       }
```

Since the `decoy_subpaths` parameter is empty, any sub-path accessed by the attacker after `/account` is regarded as a decoy path or decoy API.

After configuring in-context or out-of-context decoy APIs, you can check the API listings by running the `list_api` command:

```
opt/pingidentity/ase/bin/cli.sh list_api -u admin -p
flight ( loaded ), https
shop ( loaded ), https, decoy: in-context
trading ( loaded ), https, decoy: out-context
```