API Management policies
This section provides a reference for the following API Management policies. For information on adding and configuring policies, see Policies in API Management.
Policies are a powerful capability of the system that allow the publisher to change the behavior of the API through configuration. Policies are a collection of Statements that are executed sequentially on the request or response of an API. Popular Statements include format conversion from XML to JSON and call rate limiting to restrict the amount of incoming calls from a developer. Many more policies are available out of the box.
Policy expressions can be used as attribute values or text values in any of the API Management policies, unless the policy specifies otherwise. Some policies such as the Control flow and Set variable policies are based on policy expressions. For more information, see Advanced policies and Policy expressions.
- Access restriction policies
- Check HTTP header - Enforces existence and/or value of a HTTP Header.
- Limit call rate by subscription - Prevents API usage spikes by limiting call rate, on a per subscription basis.
- Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis.
- Restrict caller IPs - Filters (allows/denies) calls from specific IP addresses and/or address ranges.
- Set usage quota by subscription - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.
- Set usage quota by key - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
- Validate JWT - Enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.
- Advanced policies
- Control flow - Conditionally applies policy statements based on the evaluation of Boolean expressions.
- Forward request - Forwards the request to the backend service.
- Limit concurrency - Prevents enclosed policies from executing by more than the specified number of requests at a time.
- Log to Event Hub - Sends messages in the specified format to a message target defined by a Logger entity.
- Mock response - Aborts pipeline execution and returns a mocked response directly to the caller.
- Retry - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.
- Return response - Aborts pipeline execution and returns the specified response directly to the caller.
- Send one way request - Sends a request to the specified URL without waiting for a response.
- Send request - Sends a request to the specified URL.
- Set HTTP proxy - Allows you to route forwarded requests via an HTTP proxy.
- Set variable - Persist a value in a named context variable for later access.
- Set request method - Allows you to change the HTTP method for a request.
- Set status code - Changes the HTTP status code to the specified value.
- Trace - Adds custom traces into the API Inspector output, Application Insights telemetries, and Resource Logs.
- Wait - Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding.
- Authentication policies
- Caching policies
- Get from cache - Perform cache look up and return a valid cached response when available.
- Store to cache - Caches response according to the specified cache control configuration.
- Get value from cache - Retrieve a cached item by key.
- Store value in cache - Store an item in the cache by key.
- Remove value from cache - Remove an item in the cache by key.
- Cross domain policies
- Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
- CORS - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.
- Transformation policies
- Convert JSON to XML - Converts request or response body from JSON to XML.
- Convert XML to JSON - Converts request or response body from XML to JSON.
- Find and replace string in body - Finds a request or response substring and replaces it with a different substring.
- Mask URLs in content - Re-writes (masks) links in the response body so that they point to the equivalent link via the gateway.
- Set backend service - Changes the backend service for an incoming request.
- Set body - Sets the message body for incoming and outgoing requests.
- Set HTTP header - Assigns a value to an existing response and/or request header or adds a new response and/or request header.
- Set query string parameter - Adds, replaces value of, or deletes request query string parameter.
- Rewrite URL - Converts a request URL from its public form to the form expected by the web service.
- Transform XML using an XSLT - Applies an XSL transformation to XML in the request or response body.
- Dapr integration policies
For more information working with policies, see: