API Management policy reference

This section provides links to reference articles for all API Management policies.

More information about policies:

Important

Limit call rate by subscription and Set usage quota by subscription have a dependency on the subscription key. A subscription key isn't required when other policies are applied.

Access restriction policies

  • Check HTTP header - Enforces existence and/or value of an HTTP Header.
  • Get authorization context - Gets the authorization context of a specified connection to a credential provider configured in the API Management instance.
  • Limit call rate by subscription - Prevents API usage spikes by limiting call rate, on a per subscription basis.
  • Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis.
  • Restrict caller IPs - Filters (allows/denies) calls from specific IP addresses and/or address ranges.
  • Set usage quota by subscription - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.
  • Set usage quota by key - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
  • Validate Microsoft Entra token - Enforces existence and validity of a Microsoft Entra JWT extracted from either a specified HTTP header, query parameter, or token value.
  • Validate JWT - Enforces existence and validity of a JWT extracted from either a specified HTTP Header, query parameter, or token value.
  • Validate client certificate - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.

Advanced policies

  • Control flow - Conditionally applies policy statements based on the results of the evaluation of Boolean expressions.
  • Emit metrics - Sends custom metrics to Application Insights at execution.
  • Forward request - Forwards the request to the backend service.
  • Include fragment - Inserts a policy fragment in the policy definition.
  • Limit concurrency - Prevents enclosed policies from executing by more than the specified number of requests at a time.
  • Log to event hub - Sends messages in the specified format to an event hub defined by a Logger entity.
  • Mock response - Aborts pipeline execution and returns a mocked response directly to the caller.
  • Retry - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.
  • Return response - Aborts pipeline execution and returns the specified response directly to the caller.
  • Send one way request - Sends a request to the specified URL without waiting for a response.
  • Send request - Sends a request to the specified URL.
  • Set HTTP proxy - Allows you to route forwarded requests via an HTTP proxy.
  • Set request method - Allows you to change the HTTP method for a request.
  • Set status code - Changes the HTTP status code to the specified value.
  • Set variable - Persists a value in a named context variable for later access.
  • Trace - Adds custom traces into the request tracing output in the test console, Application Insights telemetries, and resource logs.
  • Wait - Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding.

Authentication policies

Caching policies

Cross-domain policies

  • Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
  • CORS - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.
  • JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.

Dapr integration policies

  • Send request to a service: Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this README file.
  • Send message to Pub/Sub topic: Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this README file.
  • Trigger output binding: Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this README file.

GraphQL resolver policies

  • Azure SQL data source for resolver - Configures the Azure SQL request and optional response to resolve data for an object type and field in a GraphQL schema.
  • Cosmos DB data source for resolver - Configures the Cosmos DB request and optional response to resolve data for an object type and field in a GraphQL schema.
  • HTTP data source for resolver - Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema.
  • Publish event to GraphQL subscription - Publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a GraphQL resolver for a related field in the schema for another operation type such as a mutation.

Transformation policies

Validation policies

  • Validate content - Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML.
  • Validate GraphQL request - Validates and authorizes a request to a GraphQL API.
  • Validate OData request - Validates a request to an OData API to ensure conformance with the OData specification.
  • Validate parameters - Validates the request header, query, or path parameters against the API schema.
  • Validate headers - Validates the response headers against the API schema.
  • Validate status code - Validates the HTTP status codes in responses against the API schema.

For more information about working with policies, see: