Built-in policies
IBM® API Connect includes a number of built-in policies that you can use to apply preconfigured policy statements to an operation to control an aspect of processing in the Gateway server when an API is invoked.
Note: Although some built-in policies can be used with both the DataPower® Gateway and the Micro Gateway, some policies are restricted
to a particular Gateway. The following icons indicate which Gateway each policy can be used with:
Indicates that the policy can be run on the DataPower Gateway.
Indicates that the policy can be run on the Micro Gateway.
Important: IBM API
Connect
Micro Gateway is deprecated in IBM API
Connect Version 5.0.8 in favor of DataPower Gateway. From 1 April 2020, Micro Gateway, and associated toolkit CLI commands, will no longer
be supported. Existing users can migrate their API definitions to IBM
DataPower Gateways. For information on supported API policies, see
Built-in
policies.
Important: If you are using IBM API Connect for IBM Cloud, you must
apply only policies that can be run on the DataPower Gateway.
Built-in policies are configured in the context of an API. You can use the API Designer assembly editor to add a built-in policy to an API and to configure the properties for that policy.
You can also add built-in policies to an API by creating an OpenAPI (Swagger 2.0) definition file. For more information, see Creating an OpenAPI (Swagger 2.0) definition file.
The following table shows the list of built-in policies that are available, and whether they are
restricted to a particular Gateway or are available on both. The table contains links to
configuration information for both the built-in policy definitions, and the OpenAPI (Swagger 2.0) policy definitions. The policies are
the same, but they are created in different ways.
| Built-in policy | OpenAPI (Swagger 2.0) policy | Description |  |
 |
|---|---|---|---|---|
| Activity Log1 | activity-log | Use the Activity Log policy to configure your logging preferences for the API activity that is stored in analytics. The preferences that you specify will override the default settings for collecting and storing details of the API activity. |  |
 |
| GatewayScript | gatewayscript | Use the gatewayscript policy to execute a specified DataPower GatewayScript program. | |
|
![[V5.0.5 or later]](../buildfiles/icon_v505.jpg){kind=icon} Generate LTPA Token |
ltpa-generate |
Use the Generate LTPA
Token security policy in IBM API
Connect to generate a Lightweight Third
Party Authentication (LTPA) token. |
|
|
| Invoke | invoke | Apply the Invoke policy to call another service from within your assembly. The response from the backend is stored either in the variable message.body or in the response object variable if it is defined. The policy can be used with JSON or XML data, and can be applied multiple times within your assembly. | |
|
| JavaScript | javascript | Use the JavaScript policy to execute a specified JavaScript program. | |
|
| JSON to XML | json-to-xml | Use the JSON to XML policy to convert the context payload of your API from the JavaScript Object Notation (JSON) format to the extensible markup language (XML) format. | |
|
![[V5.0.1 or later]](../buildfiles/icon_v501.jpg){kind=icon} Generate JWT |
jwt-generate | Use the Generate JWT security policy in IBM API Connect to generate a JSON Web Token (JWT). | |
|
| Validate JWT |
jwt-validate | Use the Validate JWT security policy to enable the validation of a JSON Web Token (JWT) in a request before allowing access to the APIs. | |
|
| Map | map | Use the Map policy to apply transformations to your assembly flow and specify relationships between variables. | |
|
| Proxy | proxy | Apply the Proxy policy to invoke another API within your assembly, particularly if the separate API contains a large payload. The response from the backend is stored in the message.body and in the response object variable if it is defined. Only one policy is permitted to be run per unique assembly flow. |
|
|
| Redaction | redact | Use the Redaction policy to completely remove or to redact specified fields from the Request body, the Response body, and the activity logs. You might find this policy useful for removing or blocking out sensitive data (for example, credit card details) for legal, security, or other reasons. | |
|
| Set Variable | set-variable | Use the Set Variable policy to set a runtime variable to a string value, or to clear a runtime variable, or to add a header variable. | |
|
| Validate | validate | Use the Validate policy to validate the payload in an assembly flow against a JSON or an XML schema. | |
|
![[V5.0.3 or later]](../buildfiles/icon_v503.jpg){kind=icon} Validate |
|
Use the Validate policy to validate the payload in an assembly flow against a JSON or an XML schema.
|
|
|
![[V5.0.2 or later]](../buildfiles/icon_v502.jpg){kind=icon} Validate Username
Token |
validate-usernametoken | Use the Validate Username Token policy to validate a Web Services Security (WS-Security) UsernameToken in a SOAP payload before allowing access to the protected resource. | |
|
| XML to JSON | xml-to-json | Use the XML to JSON policy to convert the context payload of your API from the extensible markup language (XML) format to JavaScript Object Notation (JSON). | |
|
| XSLT | xslt | Use the XSLT policy to apply an XSLT transform to the payload of the API definition. | |
|
1
Note: The Micro Gateway does not support
the Activity
Log policy.
However, the Micro Gateway
does collect the basic analytic statistics. The statistics that the Micro Gateway gathers are
equivalent to what an Activity
Log policy in the DataPower Gateway with
Content:activity settings gathers with some exceptions:- For the following fields, the Micro Gateway does not collect
the information and sends empty payload:
requestHttpHeaders,responseHttpHeaders, anddebug. - When the Micro Gateway starts with an APIMANAGER environment variable that specifies a valid Management server, the Micro Gateway automatically collects the basic analytic statistics. There is no mechanism to turn the collection function on or off at runtime.