API Management policy reference

This section provides links to reference articles for all API Management policies.

More information about policies:


Limit call rate by subscription and Set usage quota by subscription have a dependency on the subscription key. A subscription key isn't required when other policies are applied.

Access restriction policies

Advanced policies

  • Control flow - Conditionally applies policy statements based on the results of the evaluation of Boolean expressions.
  • Emit metrics - Sends custom metrics to Application Insights at execution.
  • Forward request - Forwards the request to the backend service.
  • Include fragment - Inserts a policy fragment in the policy definition.
  • Limit concurrency - Prevents enclosed policies from executing by more than the specified number of requests at a time.
  • Log to event hub - Sends messages in the specified format to an event hub defined by a Logger entity.
  • Mock response - Aborts pipeline execution and returns a mocked response directly to the caller.
  • Retry - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.
  • Return response - Aborts pipeline execution and returns the specified response directly to the caller.
  • Send one way request - Sends a request to the specified URL without waiting for a response.
  • Send request - Sends a request to the specified URL.
  • Set HTTP proxy - Allows you to route forwarded requests via an HTTP proxy.
  • Set request method - Allows you to change the HTTP method for a request.
  • Set status code - Changes the HTTP status code to the specified value.
  • Set variable - Persists a value in a named context variable for later access.
  • Trace - Adds custom traces into the request tracing output in the test console, Application Insights telemetries, and resource logs.
  • Wait - Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding.

Authentication policies

Caching policies

Cross-domain policies

  • Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
  • CORS - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.
  • JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.

Dapr integration policies

  • Send request to a service: Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this README file.
  • Send message to Pub/Sub topic: Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this README file.
  • Trigger output binding: Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this README file.

GraphQL resolver policies

  • HTTP data source for resolver - Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema.
  • Publish event to GraphQL subscription - Publishes an event to one or more subscriptions specified in a GraphQL API schema. Used in the http-response element of the http-data-source policy

Transformation policies

Validation policies

  • Validate content - Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML.
  • Validate GraphQL request - Validates and authorizes a request to a GraphQL API.
  • Validate parameters - Validates the request header, query, or path parameters against the API schema.
  • Validate headers - Validates the response headers against the API schema.
  • Validate status code - Validates the HTTP status codes in responses against the API schema.

Next steps

For more information about working with policies, see: