Built-in policies

IBM® API Connect includes a number of built-in policies that you can use to apply preconfigured policy statements to an operation to control an aspect of processing in the Gateway server when an API is invoked.

Note: Although some built-in policies can be used with both the DataPower® Gateway (v5 compatible) and the DataPower API Gateway, some policies are restricted to a particular Gateway. The following icons indicate which Gateway each policy can be used with:
  • DataPower gateway iconIndicates that the policy can be run on the DataPower Gateway (v5 compatible).
  • DataPower gateway iconIndicates that the policy can be run on the DataPower API Gateway.

For details of the two types of gateway, see API Connect gateway types.

Built-in policies are configured in the context of an API. You can use the API Designer assembly editor to add a built-in policy to an API and to configure the properties for that policy.

You can also add built-in policies to an API by creating an OpenAPI definition file. For more information, see Creating an OpenAPI definition file.

The following table shows the list of built-in policies that are available. The table contains links to configuration information for both the built-in policy definitions, and the OpenAPI policy definitions. The policies are the same, but they are created in different ways.
Table 1. Built-in policies
Built-in policy OpenAPI policy Description DataPower gateway icon DataPower gateway icon
Activity Log activity-log Use the Activity Log policy to configure your logging preferences for the API activity that is stored in IBM API Connect analytics. The preferences that you specify will override the default settings for collecting and storing details of the API activity.
Note: The Activity Log policy is not supported in the assembly for an API whose gateway type is DataPower API Gateway. Instead, you configure activity logging in the API design settings.
Yes Yes

Functionality provided in the API design

Client Security client-security Provides a range of options for authenticating client access to your APIs, extending the capabilities of the OpenAPI specification. No Yes
GatewayScript gatewayscript Use the gatewayscript policy to execute a specified DataPower GatewayScript program. Yes Yes
Generate JWT jwt-generate Use the Generate JWT security policy in IBM API Connect to generate a JSON Web Token (JWT). Yes Yes
Validate JWT jwt-validate Use the Validate JWT security policy to enable the validation of a JSON Web Token (JWT) in a request before allowing access to the APIs. Yes Yes
if if Use the if policy to apply a section of the assembly when a condition is fulfilled. Yes Yes

Functionality provided by switch

GraphQL introspect graphql-introspect Use the GraphQL introspect policy to introspect a GraphQL schema. No Yes
Invoke invoke Apply the Invoke policy to call another service from within your assembly. The response from the backend is stored either in the variable message.body or in the response object variable if it is defined. The policy can be used with JSON or XML data, and can be applied multiple times within your assembly. Yes Yes
JSON to XML json-to-xml Use the JSON to XML policy to convert the context payload of your API from the JavaScript Object Notation (JSON) format to the extensible markup language (XML) format. Yes Yes
Log log Use the Log policy to customize or override the default activity logging configuration for an API. No Yes
Map map Use the Map policy to apply transformations to your assembly flow and specify relationships between variables. Yes Yes
operation-switch operation-switch Use the operation-switch policy to apply a section of the assembly to a specific operation. Yes Yes
OAuth oauth Use the OAuth policy to policy to perform OAuth processing based on defined OAuth provider settings. No Yes
Parse parse Use the Parse policy to control the parsing of an input document. When the input document is a JSON string, the string is parsed instead of copied over. No Yes
Proxy proxy Apply the Proxy policy to invoke another API within your assembly, particularly if the separate API contains a large payload. The response from the backend is stored in the message.body and in the response object variable if it is defined. Only one policy is permitted to be run per unique assembly flow. Yes Yes

Functionality provided by Invoke

Rate Limit ratelimit Use the Rate Limit policy to apply one or more rate or burst limits at any point in your API assembly flow. Rate and burst limits restrict the number of calls that an application can make to an API in a specified time period. No Yes


Redaction - DataPower API Gateway

Redaction - DataPower Gateway (v5 compatible)

redact - DataPower API Gateway

redact - DataPower Gateway (v5 compatible)

Use the Redaction policy to completely remove or to redact specified fields from the Request body, the Response body, and the activity logs. You might find this policy useful for removing or blocking out sensitive data (for example, credit card details) for legal, security, or other reasons. Yes Yes
Set Variable set-variable Use the Set Variable policy to set the value of a runtime variable, or to clear a runtime variable, or to add a header variable. Yes Yes
switch switch Use the switch policy to execute one of a number of sections of the assembly based on which specified condition is fulfilled. Yes Yes
throw throw Use the throw policy to throw an error when it is reached during the execution of an assembly flow. Yes Yes
User Security user-security Use the user-security policy to extract a user's credentials, authenticate those credentials, and obtain authorization from the user. No Yes


Validate - DataPower API Gateway

Validate - DataPower Gateway (v5 compatible)

validate - DataPower API Gateway

validate - DataPower Gateway (v5 compatible)

Use the Validate policy to validate the payload in an assembly flow against a JSON or an XML schema. Yes Yes
Validate Username Token validate-usernametoken Use the Validate Username Token policy to validate a Web Services Security (WS-Security) UsernameToken in a SOAP payload before allowing access to the protected resource. Yes No
XML to JSON xml-to-json Use the XML to JSON policy to convert the context payload of your API from the extensible markup language (XML) format to JavaScript Object Notation (JSON). Yes Yes
XSLT xslt Use the XSLT policy to apply an XSLT transform to the payload of the API definition. Yes Yes