API Management policy reference
This section provides links to reference articles for all API Management policies.
More information about policies:
Limit call rate by subscription and Set usage quota by subscription have a dependency on the subscription key. A subscription key isn't required when other policies are applied.
Access restriction policies
- Check HTTP header - Enforces existence and/or value of an HTTP Header.
- Get authorization context - Gets the authorization context of a specified authorization configured in the API Management instance.
- Limit call rate by subscription - Prevents API usage spikes by limiting call rate, on a per subscription basis.
- Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis.
- Restrict caller IPs - Filters (allows/denies) calls from specific IP addresses and/or address ranges.
- Set usage quota by subscription - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.
- Set usage quota by key - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
- Validate Azure Active Directory token - Enforces existence and validity of an Azure Active Directory JWT extracted from either a specified HTTP header, query parameter, or token value.
- Validate JWT - Enforces existence and validity of a JWT extracted from either a specified HTTP Header, query parameter, or token value.
- Validate client certificate - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.
- Control flow - Conditionally applies policy statements based on the results of the evaluation of Boolean expressions.
- Emit metrics - Sends custom metrics to Application Insights at execution.
- Forward request - Forwards the request to the backend service.
- Include fragment - Inserts a policy fragment in the policy definition.
- Limit concurrency - Prevents enclosed policies from executing by more than the specified number of requests at a time.
- Log to event hub - Sends messages in the specified format to an event hub defined by a Logger entity.
- Mock response - Aborts pipeline execution and returns a mocked response directly to the caller.
- Retry - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.
- Return response - Aborts pipeline execution and returns the specified response directly to the caller.
- Send one way request - Sends a request to the specified URL without waiting for a response.
- Send request - Sends a request to the specified URL.
- Set HTTP proxy - Allows you to route forwarded requests via an HTTP proxy.
- Set request method - Allows you to change the HTTP method for a request.
- Set status code - Changes the HTTP status code to the specified value.
- Set variable - Persists a value in a named context variable for later access.
- Trace - Adds custom traces into the request tracing output in the test console, Application Insights telemetries, and resource logs.
- Wait - Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding.
- Authenticate with Basic - Authenticate with a backend service using Basic authentication.
- Authenticate with client certificate - Authenticate with a backend service using client certificates.
- Authenticate with managed identity - Authenticate with a backend service using a managed identity.
- Get from cache - Perform cache lookup and return a valid cached response when available.
- Store to cache - Caches response according to the specified cache control configuration.
- Get value from cache - Retrieve a cached item by key.
- Store value in cache - Store an item in the cache by key.
- Remove value from cache - Remove an item in the cache by key.
- Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
- CORS - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.
Dapr integration policies
- Send request to a service: Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this README file.
- Send message to Pub/Sub topic: Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this README file.
- Trigger output binding: Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this README file.
GraphQL API policies
- Validate GraphQL request - Validates and authorizes a request to a GraphQL API.
- Set GraphQL resolver - Retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema.
- Convert JSON to XML - Converts request or response body from JSON to XML.
- Convert XML to JSON - Converts request or response body from XML to JSON.
- Find and replace string in body - Finds a request or response substring and replaces it with a different substring.
- Mask URLs in content - Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway.
- Set backend service - Changes the backend service for an incoming request.
- Set body - Sets the message body for incoming and outgoing requests.
- Set HTTP header - Assigns a value to an existing response and/or request header or adds a new response and/or request header.
- Set query string parameter - Adds, replaces value of, or deletes request query string parameter.
- Rewrite URL - Converts a request URL from its public form to the form expected by the web service.
- Transform XML using an XSLT - Applies an XSL transformation to XML in the request or response body.
- Validate content - Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML.
- Validate parameters - Validates the request header, query, or path parameters against the API schema.
- Validate headers - Validates the response headers against the API schema.
- Validate status code - Validates the HTTP status codes in
For more information about working with policies, see:
Submit and view feedback for