Possibilities to hide or disable Mendix API Swagger page
Hi,
Yes, you can hide or disable the Swagger (OpenAPI) page in Mendix. There is no direct “disable Swagger UI” checkbox in Studio Pro, but there are a few standard ways Mendix teams handle this depending on the requirement.
1. Disable API documentation
If you are exposing REST services from Published REST Services, Swagger is generated from the API documentation. If you disable documentation, the Swagger UI will not be accessible.
Go to:
Project → Settings → Runtime → API documentation
Set Enable API documentation = No
After that, the Swagger endpoint (/api-doc/) will no longer be available.
2. Restrict access using security
Another common approach is to leave Swagger enabled but restrict access.
You can do this by enabling production security and ensuring only administrators or internal roles can access API documentation endpoints.
Typically teams restrict access at:
/api-doc/ /swagger/
This can be done via a reverse proxy (NGINX, IIS, API gateway) or network-level restrictions.
3. Block the endpoint at infrastructure level
In production environments it is common to block Swagger externally rather than inside Mendix.
Examples:
- NGINX rule
- API gateway
- firewall rule
For example:
deny /api-doc/ deny /swagger/
This allows the APIs to work normally but prevents users from opening the Swagger UI.
in production
Most production Mendix environments either:
- Disable API documentation completely, or
- Allow Swagger only in dev/test environments and block it in production via proxy or gateway
This keeps the API endpoints available while preventing external users from discovering the API structure through Swagger.
If you're exposing APIs publicly, the safest setup is usually:
Disable API documentation in production and keep it enabled only in development environments.
If you want to reduce this kind of security risk, you should enable security on the published REST service itself. In the Security section, set Requires authentication to Yes.
Mendix provides three authentication options there, and all of them can work depending on your setup. However, as a best practice, I usually recommend using Custom authentication.
The reason is that a user being logged in does not necessarily mean that they should be allowed to use the service. With the Custom option, you can run your own business logic in a microflow and decide exactly who is allowed to access the service and under which conditions.
You can also use Allowed roles to restrict access further, so only specific user roles are allowed to trigger the service through Swagger.
Other than this, there is no direct setting in Mendix to completely disable the Swagger page itself. If needed, another approach is to coordinate with your network or infrastructure team and ask them to block access to the Swagger endpoint (for example /api-doc/) at the proxy, firewall, or gateway level. This way the Swagger UI is not accessible externally, while the REST services themselves can still remain available if required.
If this resolves your issue, please mark the answer as accepted so it can help others facing the same problem.