redact - DataPower Gateway (v5 compatible)

Use the redact policy to completely remove or to redact specified fields from the request body, the response body, and the activity logs. You might find this policy useful for removing or blocking out sensitive data (for example, credit card details) for legal, security, or other reasons.

Gateway support

Note: This page describes the redact policy implementation in the DataPower® Gateway (v5 compatible). If you are using the DataPower API Gateway, see redact - DataPower API Gateway.

For information on the different types of gateway, see API Connect gateway types.

Table 1. Table showing which gateways support this policy, and the corresponding policy version
Gateway Policy version
DataPower Gateway (v5 compatible) 1.0.0

This topic describes how to configure the policy in your OpenAPI source; for details on how to configure the policy in the assembly user interface, see Redaction - DataPower Gateway (v5 compatible).


The redaction policy has the following format:
- redact:
  version: version
  title: title
  description: description
    - action: remove_or_redact
        - where_the_redaction_is_to_be_applied
      path: XPath_expression_for_field_to_remove_or_redact
           further action/from/path combinations

You can specify as many action/from/path combinations as you want.


The following table describes the policy properties:
Table 2. redact policy properties
Property Required Description Data type
version Yes The policy version number string
title No A title for the policy. string
description No A policy description. string
action No Specifies whether you want to remove or redact the fields.
Valid values:
  • remove: Completely removes the specified fields.
  • redact: Redacts (obfuscates with "*"s) the fields to block out the data.

The default value is redact.

Note: If a numerical value is being redacted, the redacted value is depicted as ****** and the type is changed to string.
from No Determines where the redaction is to be applied.
Valid values:
  • all: Apply the redaction to the request body, the response body, and the activity logs.
  • request: Apply the redaction to the request body only.
  • response: Apply the redaction to the response body only.
  • logs: Apply the redaction to the activity logs only.

You can supply one or more values. The default value is all.

path Yes Specifies an XPath expression that defines the fields to remove or redact.

You can construct an XPath expression that is based on JSON or XML depending on whether your API requests and responses use a JSON or an XML format. If the payload is JSON, use the DataPower XML representation of the JSON content (JSONx) to construct the expression.

Note: Use a JSONx representation only to identify the XPath expressions for the fields to remove or redact. Do not change the format of any response bodies in API Manager.

To learn more about constructing XPath expressions that are based on JSON or XML, see Constructing XPath expressions to redact fields.



# Specify separate remove and redact actions

- redact:
  version: 1.0.0
  title: remove secret field, redact address
    - action: remove
        - all
      path: /document/user/secret
    - action: redact
        - request
        - response
      path: //*[@name='secondaryAddress']/*[@name='streetAddress']