API Connect context variables

List of IBM® API Connect context variables that you can reference when defining default parameter values in an assembly operation, or by using the getContext() function when defining a policy.

The following tables are presented:

General context variables.
OAuth context variables - DataPower Gateway (v5 compatible).
Application certificate context variables.
API activity logging context variables.

For more information about implementing an assembly component, see Including components in your assembly, and for information about how to reference context variables in API Connect see Variable references in API Connect and Using context variables in GatewayScript and XSLT policies with the DataPower API Gateway.

For more information about creating a user-defined policy, see Authoring policies.

General context variables

Note:

For plan variables (such as plan.name or plan.version), plan information is available only when the requested operation requires identification and the client passes the authentication check.
If you deploy your API to the DataPower® Gateway (v5 compatible) then, with the exception of client ID and client secret, the passing of form input as a parameter into an API is not supported. This restriction does not apply if you deploy your API to the DataPower API Gateway.

Table 1. API Connect context variables
Name	Description
`api.catalog.id`	The ID of the Catalog in which the API is published.
`api.catalog.name`	The name of the Catalog in which the API is published.
`api.catalog.path`	The path segment that represents this Catalog.
`api.document`	The OpenAPI document.
`api.endpoint.address`	The address of the API Gateway endpoint.
`api.endpoint.hostname`	The host name of the API Gateway endpoint, as requested by the application.
`api.name`	The name of the API; this corresponds to the `x-ibm-name` field in the OpenAPI definition for the API.
`api.operation.id`	The ID of the operation.
`api.operation.path`	The path of the operation.
`api.org.id`	The organization ID of the API provider.
`api.org.name`	The organization short name of the API provider.
`api.properties.propertyname`	The name of a custom API property. Property values are Catalog specific. Note: You have write permission to a custom property only from the user interface, not from GatewayScript. To access a Catalog specific property value from GatewayScript, you must refer to the property by using the following syntax: `apim-catalog-name` where `catalog` is the name of the Catalog, and `name` is the property name. For example: `var mypropertyvalue = $(apim-mycatalog-mypropertyname)`
`api.root`	The API basepath.
`api.type`	The API type; REST or SOAP.
`api.version`	The version string of the API.
`client.app.id`	The client ID or application key that is received on the request.
`client.app.lifecycle-state`	The lifecycle status of the calling client application. The possible values are as follows: `DEVELOPMENT` `PRODUCTION` (default)
`client.app.metadata.key`	The string value of an application metadata key, where `key` is the name of the key. You can add metadata keys to an application by using either the apic apps:create or the apic apps:update command; you include the metadata keys in the configuration file parameter that is passed to the command. For example: `apic apps:create myapp.yaml --server myserver.com --org myorg --catalog mycatalog --consumer-org mycorg` where myapp.yaml contains the following: `name: myapp title: My test application metadata: key1: value1 key2: value2 key3: value3 key4: value4 key5: value5` You can then retrieve the value of a metadata key in an API assembly policy by using a context variable such as the following: `client.app.metadata.key3` Note that adding application metadata might impact gateway transaction performance.
`client.app.name`	The name of the application that is identified as having issued the request.
`client.app.secret`	The client secret that is received in the request.
`client.org.id`	The unique identification key of the organization that owns this application.
`client.org.name`	The name of the organization that owns this application.
`client.result`	The result of the client security policy, which is `SUCCESS` or `FAILURE`.
`client.third_party.type`	The type of user registry used for third-party authentication of the extracted client credentials. The possible values are `LDAP` and `auth-url`.
`client.third_party.headers`	The array of headers added to the request that was sent to that API authentication URL during third-party authentication.
`client.third_party.response.authenticated`	The third-party authentication results. The possible values are as follows: `true`: the authentication was successful. `false`: the authentication failed.
`client.third_party.response.user`	The user for third-party authentication.
`client.title`	The title for the credentials that are received in the request.
`env.name`	The name of the Catalog in which the API is published.
`env.path`	The path segment that represents this Catalog.
`message.body`	The payload of the request or response message. Note: The `message.body` context variable is not supported with `getContext()` function. Use the `getvariable()` function instead.
`message.headers.name`	The value of the current named header of the message or of the current named header of the root part of a multipart message. The `name` segment is case-insensitive.
`message.status.code`	The HTTP status code of the response.
`message.status.reason`	The HTTP reason phrase of the response.
`plan.name`	The name of the plan.
`plan.id`	The unique identifier of the plan.
`plan.version`	The version number of the plan.
`plan.rate-limit`	The rate limit (the number of API calls per time interval) of the plan.
`request.authorization`	The parsed HTTP `authorization` header.
`request.body`	The payload from the incoming request.
`request.content-type`	Normalized content-type value.
`request.date`	A date object that represents approximately when the request was received by the Gateway.
`request.headers.headername`	The value of the original named header of the HTTP request, or the value of the current named header of the root part of a multipart request. The `headername` segment is case-insensitive.
`request.parameters`	You can obtain your incoming parameters from path and query parameters.
`request.path`	The path section of the `request.uri` that starts with the base path of the API, including the '/' character that begins the base path.
`request.querystring`	The request query string without the leading question mark.
`request.search`	The request query string with the leading question mark.
`request.uri`	The full HTTP request URI from the application.
`request.verb`	The HTTP verb of this request.
`session.apiGateway`	The gateway that receives the request.
`session.apiGatewayName`	The name of the API gateway as defined in the API Manager.
`session.clientAddress`	The address of the client that sent the request.
`session.domainName`	The name of the domain that the gateway belongs to.
`session.globalTransactionID`	The global transaction ID in the logs.
`session.localAddress`	The address of the gateway on the DataPower® Gateway.
`session.timeStarted`	The time that the gateway started to process the request.
`session.transactionID`	The transaction ID of the gateway request.
`system.datetime`	Returns a string that represents the current date and time in the system time zone of the gateway.
`system.time`	Returns a string that represents the current time in the system time zone of the gateway.
`system.time.hour`	Returns a number 0 - 23 inclusive, representing the hour of the current time in the system time zone of the gateway.
`system.time.minute`	Returns a number 0 - 59 inclusive representing the minute of the current time in the system time zone of the gateway.
`system.time.seconds`	Returns a number 0 - 59 inclusive representing the seconds of the current time in the system time zone of the gateway.
`system.date`	Returns a string that represents the current date in the system time zone of the gateway.
`system.date.day-of-week`	Returns a number 1 - 7 (Monday to Sunday) inclusive representing the day of the week in the system time zone of the gateway.
`system.date.day-of-month`	Returns a number 1 - 31 representing the day of the month in the system time zone of the gateway.
`system.date.month`	Returns a number 1 - 12 representing the month in the system time zone of the gateway.
`system.date.year`	Returns a four-digit number that represents the year in the system time zone of the gateway.
`system.timezone`	Returns a system time zone ISO 8601 identifier for the gateway, which might include a sign, a two-digit hour, and minutes. For example, `-04:00`.

OAuth context variables - DataPower Gateway (v5 compatible)

The OAuth context variables described in this section apply only to the DataPower Gateway (v5 compatible). For details of the OAuth context variables that apply to the DataPower API Gateway, see OAuth context variables.

Table 2. OAuth context variables (DataPower Gateway (v5 compatible)).
Note: Most OAuth context variables are available only when IBM API Connect is acting as the OAuth resource server. However, the `oauth.introspect` variables are also available when integrating with third party providers.
Name	Description
`oauth.access-token`	If the request is authenticated with OAuth, this variable contains the access token string.
`oauth.miscinfo`	This variable contains information explicitly included in the Authentication URL and Metadata URL headers. For more information, see Authenticate URL.
`oauth.not-after`	If the request is authenticated with OAuth, this variable contains the date when the token expires.
`oauth.not-before`	If the request is authenticated with OAuth, this variable contains the date when the token was issued.
`oauth.resource-owner`	If the request is authenticated with OAuth, this variable contains the name of the resource owner.
`oauth.scope`	If the request is authenticated with OAuth, this variable contains the scope of this access token.
`oauth.introspect.active`	Always available to introspection. Boolean value.
`oauth.introspect.response`	Always available to introspection. Shows the complete current response payload. Example payload value: `{“active”:true, “client_id”, “xxx-xxx”, “token_type”, “bearer”, “scope”:“neon”}`
Other variables might be available from the third party, in the form of: `oauth.introspect.<variable>`	Decoding the previous example payload, the following variables are made available for further processing. `oauth.introspect.client_id: xxx-xxx oauth.introspect.token_type: bearer oauth.introspect.scope: neon`

Application certificate context variables

The following table describes context variables that are available when a certificate is used to verify access to an API, although these will vary depending on the signature mechanism that is being used; for more information, see the Internet X.509 Public Key Infrastructure Certificate and CRL Profile specification.

Table 3. Application certificate context variables
Name	Description
`application.certificate.Base64`	Base64 format.
`application.certificate.fingerprint`	Fingerprint
`application.certificate.Version`	Version
`application.certificate.SerialNumber`	Serial number
`application.certificate.SignatureAlgorithm`	Signing algorithm
`application.certificate.Issuer`	The issuer of the certificate
`application.certificate.Subject`	Subject
`application.certificate.NotBefore`	Not valid before this date
`application.certificate.NotAfter`	Not valid after this date
`application.certificate.SubjectPublicKeyAlgorithm`	Algorithm for the subject public key
`application.certificate.SubjectPublicKeyBitLength`	Length for the subject public key
`application.certificate.KeyValue.type`	Various context variables that depend on the algorithm and key. The following are possible context variables: `application.certificate.KeyValue.RSAKeyValue.Modulus` `application.certificate.KeyValue.RSAKeyValue.Exponent`

API activity logging context variables

If activity logging is enabled for an API, a log context variable is created; the log context variable contains the data relating to an API execution event. On completion of API execution, the log context variable is written to an API event record that is stored for subsequent access by API analytics. For details of the fields contained in the log context variable, see API event record fields.

The way in which you enable and configure activity logging depends on the type of gateway you are using, as follows:

If you are using the DataPower API Gateway, you configure activity logging in the API configuration settings; see Activity logging with the DataPower API Gateway.
If you are using the DataPower Gateway (v5 compatible), you configure activity logging by adding an Activity Log policy to the API assembly.

The activity logging configuration defines the default content of the log context variable, but you can modify it in an API assembly; for example:

Add your own data values by using a Set Variable policy.
Remove or redact data values by using a Redaction policy; see Redaction - DataPower API Gateway or Redaction - DataPower Gateway (v5 compatible).
Modify or replace the log context variable by using a Log policy.