# Trajectories
The Trajectory Whitelist and Blacklist feature gives you precise control over which API endpoints are included or excluded during external security assessments. This allows you to define the exact scope of automated testing, ensuring that scans focus only on relevant API endpoints.
### Key Features
* **Per-host rules** — Rules are applied independently for each host or domain.
* **Regex pattern matching** — Use powerful regular expressions to match complex path patterns flexibly.
* **Blacklist takes precedence** — Any path matching a blacklist rule is always excluded, even if it also matches a whitelist rule.
### Trajectory Whitelist
The whitelist defines which API paths are **allowed** to be tested for a given host. Only endpoints whose paths match the whitelist regex pattern will be included in the external assessment.
Use the whitelist when you want to restrict testing to specific, known API areas.
### Trajectory Blacklist
The blacklist defines which API paths must be **excluded** from testing. Any endpoint whose path matches a blacklist regex pattern will be completely ignored during the assessment, regardless of whether it matches a whitelist rule.
**Important**: Blacklist rules always override whitelist rules.
### How to Configure Rules
1. Navigate to the **Trajectory** section in the Settings page.
2. **Under the Trajectory Whitelist Section, choose a host**:
* Select an existing discovered host from the list, or
* Choose **Select** **Custom Host** and enter the hostname manually.
3. **Add a rule**:
* Enter a valid regex pattern for the path.
* Click **Add rule**.
4. Repeat the process to add multiple rules for the same host or a different host.
You can add rules to both the **Trajectory Whitelist** and **Trajectory Blacklist** sections independently.
### Common Regex Pattern Examples
Here are useful patterns to get you started:
```
api/users — Matches the exact path /api/users
/api/users/.* — Matches /api/users/ followed by anything (e.g., /api/users/123)
^/api/v[0-9]+/.* — Matches versioned API paths like /api/v1/, /api/v2/, etc.
^/api/(users|posts|comments)/.* — Matches specific resources: /api/users/…, /api/posts/…, or /api/comments/…
^/admin/.* — Matches all admin-related paths (useful for blacklisting)
^/(api|graphql)/.* — Matches both REST API and GraphQL endpoints
.*\.(js|css|png|jpg|gif)$ — Matches static asset files (recommended for blacklisting)
```
### Testing Your Rules (Examples Section)
Before launching an external assessment, always verify your whitelist and blacklist configuration using the **Examples** testing area on the right side of the page.
**How to test**:
1. Select a host from the dropdown.
2. View the list of currently discovered API endpoints.
3. Each endpoint will show whether it **passes** (included) or **fails** (excluded) based on your rules.
4. You can also enter custom paths to test them instantly.
{% hint style="info" %}
This step is crucial because the entire API testing scope depends on the correct whitelist and blacklist behaviour. Testing here helps catch misconfigured regex patterns early and prevents unintended inclusion or exclusion of endpoints.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://copilot-docs.bugbase.ai/enterprise/settings/trajectories.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.