API Management policy reference

This section provides links to reference articles for all API Management policies.

More information about policies:

• Policy overview
• Set or edit policies
• Policy expressions

Important

Limit call rate by subscription and Set usage quota by subscription have a dependency on the subscription key. A subscription key isn't required when other policies are applied.

Access restriction policies

• Check HTTP header - Enforces existence and/or value of an HTTP Header.
• Get authorization context - Gets the authorization context of a specified authorization configured in the API Management instance.
• Limit call rate by subscription - Prevents API usage spikes by limiting call rate, on a per subscription basis.
• Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis.
• Restrict caller IPs - Filters (allows/denies) calls from specific IP addresses and/or address ranges.
• Set usage quota by subscription - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.
• Set usage quota by key - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
• Validate Azure Active Directory token - Enforces existence and validity of an Azure Active Directory JWT extracted from either a specified HTTP header, query parameter, or token value.
• Validate JWT - Enforces existence and validity of a JWT extracted from either a specified HTTP Header, query parameter, or token value.
• Validate client certificate - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.

Advanced policies

• Control flow - Conditionally applies policy statements based on the results of the evaluation of Boolean expressions.
• Emit metrics - Sends custom metrics to Application Insights at execution.
• Forward request - Forwards the request to the backend service.
• Include fragment - Inserts a policy fragment in the policy definition.
• Limit concurrency - Prevents enclosed policies from executing by more than the specified number of requests at a time.
• Log to event hub - Sends messages in the specified format to an event hub defined by a Logger entity.
• Mock response - Aborts pipeline execution and returns a mocked response directly to the caller.
• Retry - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.
• Return response - Aborts pipeline execution and returns the specified response directly to the caller.
• Send one way request - Sends a request to the specified URL without waiting for a response.
• Send request - Sends a request to the specified URL.
• Set HTTP proxy - Allows you to route forwarded requests via an HTTP proxy.
• Set request method - Allows you to change the HTTP method for a request.
• Set status code - Changes the HTTP status code to the specified value.
• Set variable - Persists a value in a named context variable for later access.
• Trace - Adds custom traces into the request tracing output in the test console, Application Insights telemetries, and resource logs.
• Wait - Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding.

Authentication policies

• Authenticate with Basic - Authenticate with a backend service using Basic authentication.
• Authenticate with client certificate - Authenticate with a backend service using client certificates.
• Authenticate with managed identity - Authenticate with a backend service using a managed identity.

Caching policies

• Get from cache - Perform cache lookup and return a valid cached response when available.
• Store to cache - Caches response according to the specified cache control configuration.
• Get value from cache - Retrieve a cached item by key.
• Store value in cache - Store an item in the cache by key.
• Remove value from cache - Remove an item in the cache by key.

Cross-domain policies

• Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
• CORS - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.
• JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.

Dapr integration policies

• Send request to a service: Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this README file.
• Send message to Pub/Sub topic: Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this README file.
• Trigger output binding: Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this README file.

GraphQL API policies

• Validate GraphQL request - Validates and authorizes a request to a GraphQL API.
• Set GraphQL resolver - Retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema.

Transformation policies

• Convert JSON to XML - Converts request or response body from JSON to XML.
• Convert XML to JSON - Converts request or response body from XML to JSON.
• Find and replace string in body - Finds a request or response substring and replaces it with a different substring.
• Mask URLs in content - Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway.
• Set backend service - Changes the backend service for an incoming request.
• Set body - Sets the message body for incoming and outgoing requests.
• Set HTTP header - Assigns a value to an existing response and/or request header or adds a new response and/or request header.
• Set query string parameter - Adds, replaces value of, or deletes request query string parameter.
• Rewrite URL - Converts a request URL from its public form to the form expected by the web service.
• Transform XML using an XSLT - Applies an XSL transformation to XML in the request or response body.

Validation policies

• Validate content - Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML.
• Validate parameters - Validates the request header, query, or path parameters against the API schema.
• Validate headers - Validates the response headers against the API schema.
• Validate status code - Validates the HTTP status codes in

Next steps

For more information about working with policies, see:

• Tutorial: Transform and protect your API
• Set or edit policies
• Policy samples