JSON Payload Limit in Azure APIM

Question

Hi All,

I have a POST API request wrapped in Azure APIM. The POST request requires us to send JSON Payload in Raw/JSON format.

I have around records transformed into a JSON list of Python Objects essentially a JSON payload.
When I try to POST the entire JSON payload at once, I get a 403 Forbidden Error on APIM. But If I try to post around 500 Records (<128KB for my payload), the POST API works as expected with 200 Response without any errors.

The moment I increase the number of records to 550 or more (which makes my payload size >128KB), the API fails again with 403 Forbidden Error.

I have checked this multiple time and as long as the request body JSON payload is <128KB, API works.

Also, performing a direct call to the endpoint without APIM, there is no such issue no matter how large or small of a JSON payload I send via POST request.

Answer 1

Hi @Naveed Kagathara ,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

The 128KB restriction you're hitting is a known limitation of the Azure Portal Test console (the built-in Test tab), not of the APIM gateway itself. The Test pane is a lightweight browser-based tool primarily intended for quick, simple request validation - it imposes its own constraints on request body size independent of any APIM policies.

This aligns with your observation that calling the endpoint directly (bypassing APIM's Test pane) works fine regardless of payload size.

The recommended workaround is to test with an external HTTP client instead:

• Postman – paste your full JSON payload in the Body tab (raw/JSON), add your Ocp-Apim-Subscription-Key header from the APIM portal (found under Subscriptions), and call your APIM endpoint directly.
• curl – for example:

    curl -X POST "https://<your-apim>.azure-api.net/<api-path>" \
      -H "Content-Type: application/json" \
      -H "Ocp-Apim-Subscription-Key: <your-key>" \
      -d @payload.json
  

• VS Code with the REST Client extension – lets you reference an external .json file as the body, so payload size isn't an issue.

Your APIM gateway itself has no 128KB restriction — as confirmed by the official APIM limits documentation, the maximum request payload size is up to 1 GiB (on Developer/Basic/Standard/Premium tiers). The 128KB ceiling you're hitting exists only within the portal's Test pane UI, so switching to any external client may resolve it entirely.

Answer 2

Hello Naveed Kagathara,

Thanks for raising this question in Azure Q&A forum.

Azure APIM has several JSON payload limits that apply depending on your tier and what policy you're using, and each can be tuned differently.

Understanding the Default Limits

There are three distinct limits at play in APIM:

Maximum request payload size — up to 1 GiB (Developer, Basic, Standard, Premium tiers); only 2 MiB on Consumption tier

Maximum buffered payload size — 2 MiB on all tiers. This is the key limit when policies need to read or modify the request/response body using context.Request.Body or set-body — if the body exceeds this, APIM cannot buffer it in memory for policy processing

validate-content policy default max-size — 100 KB by default, and can be increased up to 4 MB via a support request

Enforcing a Custom JSON Payload Limit

To enforce your own JSON payload size limit (e.g., reject payloads over a certain size), use one of these two approaches:

Option 1 — Using validate-content policy (recommended for JSON validation + size check together)

This is the cleanest approach as it validates both the size and the JSON structure against a schema:

xml
<inbound>
    <base />
    <validate-content 
        unspecified-content-type-action="prevent" 
        max-size="102400"
        size-exceeded-action="prevent" 
        errors-variable-name="requestBodyValidation">
        <content type="application/json" validate-as="json" action="prevent" />
    </validate-content>
</inbound>

Here max-size is in bytes — 102400 = 100 KB. Change this to your desired limit. Note the default cap is 100 KB and requires a support ticket to raise above 4 MB.​

Option 2 — Using Content-Length header check (works for any size, no buffering needed)

Use this when you want to enforce limits larger than 4 MB without buffering the body, by checking the Content-Length header directly:

xml
<inbound>
    <base />
    <choose>
        <when condition="@(int.Parse(context.Request.Headers.GetValueOrDefault("Content-Length","0")) > 5242880)">
            <return-response>
                <set-status code="413" reason="Payload Too Large" />
                <set-body>@{ return "JSON payload exceeds the allowed limit of 5 MB."; }</set-body>
            </return-response>
        </when>
    </choose>
</inbound>

This rejects any request where Content-Length exceeds 5 MB (5 × 1024 × 1024 = 5,242,880 bytes) with an HTTP 413 response. Note this relies on the client sending a Content-Length header — which all well-behaved HTTP/1.1 clients do for POST/PUT requests.

Option 3 — Routing based on size (advanced)

If you need to route large vs. small payloads to different backends (e.g., a sync endpoint for small payloads and an async queue-based endpoint for large ones), use the routing-by-size pattern:​

xml
<inbound>
    <base />
    <set-variable name="bodySize" value="@(context.Request.Headers.GetValueOrDefault("Content-Length","0"))" />
    <choose>
        <when condition="@(int.Parse(context.Variables.GetValueOrDefault<string>("bodySize")) < 262144)">
            

Key Recommendation

If your concern is about policies like set-body or context.Request.Body.As<JObject>() failing on large payloads those are bounded by the 2 MiB buffered payload limit which cannot be increased. For payloads exceeding 2 MiB that need transformation, the recommended pattern is to avoid buffering by using streaming or routing to a backend service that handles the transformation outside APIM.

If it helps kindly accept the answer.

Best Regards,

Jerald Felix