Send request
APPLIES TO: All API Management tiers
The send-request policy sends the provided request to the specified URL, waiting no longer than the set timeout value.
Note
Set the policy's elements and child elements in the order provided in the policy statement. Learn more about how to set or edit API Management policies.
Policy statement
<send-request mode="new | copy" response-variable-name="" timeout="60 sec" ignore-error
="false | true">
<set-url>request URL</set-url>
<set-method>...</set-method>
<set-header>...</set-header>
<set-body>...</set-body>
<authentication-certificate thumbprint="thumbprint" />
<proxy>...</proxy>
</send-request>
Attributes
| Attribute | Description | Required | Default |
|---|---|---|---|
| mode | Determines whether this is a new request or a copy of the headers and body in the current request. In the outbound policy section, mode=copy does not initialize the request body. Policy expressions are allowed. |
No | new |
| response-variable-name | The name of context variable that will receive a response object. If the variable doesn't exist, it will be created upon successful execution of the policy and will become accessible via context.Variable collection. Policy expressions are allowed. |
Yes | N/A |
| timeout | The timeout interval in seconds before the call to the URL fails. Policy expressions are allowed. | No | 60 |
| ignore-error | If true and the request results in an error, the error will be ignored, and the response variable will contain a null value. Policy expressions aren't allowed. |
No | false |
Elements
| Element | Description | Required |
|---|---|---|
| set-url | The URL of the request. Policy expressions are allowed. | No if mode=copy; otherwise yes. |
| set-method | Sets the method of the request. Policy expressions aren't allowed. | No if mode=copy; otherwise yes. |
| set-header | Sets a header in the request. Use multiple set-header elements for multiple request headers. |
No |
| set-body | Sets the body of the request. | No |
| authentication-certificate | Certificate to use for client authentication, specified in a thumbprint attribute. |
No |
| proxy | Routes request via HTTP proxy. | No |
Usage
- Policy sections: inbound, outbound, backend, on-error
- Policy scopes: global, workspace, product, API, operation
- Gateways: dedicated, consumption, self-hosted, workspace
Usage notes
If your API Management instance is deployed (injected) in a VNet in internal mode and you use this policy to send an API request to an API that's exposed in the same API Management instance, you may encounter a timeout with an HTTP 500 BackendConnectionFailure error. This is the result of an Azure Load Balancer limitation.
To chain API requests to the gateway in this scenario, configure set-url to use the localhost loopback URL https://127.0.0.1. Additionally, set the HOST header to specify this API Management instance's gateway host. You may use the default azure-api.net or your custom domain host. For example:
<send-request>
<set-url>https://127.0.0.1/myapi/myoperation</set-url>
<set-header name="Host">
<value>myapim.azure-api.net</value>
</set-header>
</send-request>
For more information, see this blog post.
Example
This example shows one way to verify a reference token with an authorization server. For more information on this sample, see Using external services from the Azure API Management service.
<inbound>
<!-- Extract token from Authorization header parameter -->
<set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
<!-- Send request to Token Server to validate token (see RFC 7662) -->
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>https://microsoft-apiappec990ad4c76641c6aea22f566efc5a4e.azurewebsites.net/introspection</set-url>
<set-method>POST</set-method>
<set-header name="Authorization" exists-action="override">
<value>basic dXNlcm5hbWU6cGFzc3dvcmQ=</value>
</set-header>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>@($"token={(string)context.Variables["token"]}")</set-body>
</send-request>
<choose>
<!-- Check active property in response -->
<when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
<!-- Return 401 Unauthorized with http-problem payload -->
<return-response>
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error="invalid_token"</value>
</set-header>
</return-response>
</when>
</choose>
<base />
</inbound>
Related policies
Related content
For more information about working with policies, see:
- Tutorial: Transform and protect your API
- Policy reference for a full list of policy statements and their settings
- Policy expressions
- Set or edit policies
- Reuse policy configurations
- Policy snippets repo
- Author policies using Microsoft Copilot in Azure