API Management policy reference

This section provides links to reference articles for all API Management policies.

More information about policies:

Access restriction policies

  • Check HTTP header - Enforces existence and/or value of an HTTP Header.
  • Limit call rate by subscription - Prevents API usage spikes by limiting call rate, on a per subscription basis.
  • Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis.
  • Restrict caller IPs - Filters (allows/denies) calls from specific IP addresses and/or address ranges.
  • Set usage quota by subscription - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.
  • Set usage quota by key - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
  • Validate JWT - Enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.
  • Validate client certificate - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.

Advanced policies

  • Control flow - Conditionally applies policy statements based on the evaluation of Boolean expressions.
  • Forward request - Forwards the request to the backend service.
  • Limit concurrency - Prevents enclosed policies from executing by more than the specified number of requests at a time.
  • Log to event hub - Sends messages in the specified format to a message target defined by a Logger entity.
  • Emit metrics - Sends custom metrics to Application Insights at execution.
  • Mock response - Aborts pipeline execution and returns a mocked response directly to the caller.
  • Retry - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.
  • Return response - Aborts pipeline execution and returns the specified response directly to the caller.
  • Send one way request - Sends a request to the specified URL without waiting for a response.
  • Send request - Sends a request to the specified URL.
  • Set HTTP proxy - Allows you to route forwarded requests via an HTTP proxy.
  • Set variable - Persist a value in a named context variable for later access.
  • Set request method - Allows you to change the HTTP method for a request.
  • Set status code - Changes the HTTP status code to the specified value.
  • Trace - Adds custom traces into the API Inspector output, Application Insights telemetries, and Resource Logs.
  • Wait - Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding.

Authentication policies

Caching policies

Cross domain policies

  • Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
  • CORS - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.
  • JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.

Dapr integration policies

GraphQL API policies

Transformation policies

Validation policies

  • Validate content - Validates the size or JSON schema of a request or response body against the API schema.
  • Validate parameters - Validates the request header, query, or path parameters against the API schema.
  • Validate headers - Validates the response headers against the API schema.
  • Validate status code - Validates the HTTP status codes in responses against the API schema.

Next steps

For more information about working with policies, see: