# API Configuration

Control your app's API surface — whether it's on, who can reach it, and how outside developers use it.
This is where the [runtime API](/understand/managing-vs-running) your app exposes gets turned on and
governed.

## Configure

### Turn on the backend API

Enable your app's REST API and MCP server. Each [entity](/platform/entities), [action](/platform/ai),
and [integration](/platform/integrations) is exposed individually — flip on only what you want reachable.

### Allowed origins (CORS)

Add the domains allowed to call your API from a browser, so your frontend — and only the sites you
choose — can reach it.

### API as a Service

Turn this on to let *your* users access your app programmatically. They get their own API keys and can
build on top of your app.

### Monitoring

Watch usage and traffic across your API.

## Use in your app

Your own frontend calls these endpoints through the [SDK](/api/sdk). For
outside developers, see [API as a Service](/api/api-service). The full endpoint and tool reference lives
in [MCP & API](/api/overview).

## Reference

- [MCP & API Overview](/api/overview) · [REST API](/api/rest) · [MCP Tools](/api/mcp)
- [API as a Service](/api/api-service) · [Authentication API](/api/authentication)
- [Roles & Scopes](/platform/roles) · [Usage Plans](/platform/usage-plans)