Built-in policies
IBM API Studio provides a set of built-in policies that you can apply to an operation to control specific aspects of processing in the Gateway server when an API is invoked.
Built-in policies are configured in the context of an API. You can use the IBM API Studio assembly editor to add a built-in policy to an API and configure the properties for that policy.
The following table shows the list of built-in policies that are available.
| Policy | Description |
|---|---|
| Cache | Stores responses temporarily to reduce backend load and improve performance. |
| Circuit Breaker | Protects backends by limiting requests when failures exceed a threshold. |
| Count Limit | Tracks numeric counts and enforces limits for rate, usage, or attempts. |
| Invoke | Calls an external backend service and forwards the response to the flow. |
| Invoke AWS Lambda | Invokes an AWS Lambda function and processes the returned payload. |
| Load Balancer | Distributes requests across multiple backend endpoints for availability and performance. |
| Rate Limit | Applies rate or burst limits to control how often clients can call the API. |
| Retry | Retries failed backend requests based on the configured attempt and delay settings. |
| Set | Sets or updates context variables that can be used later in the flow. |
| Validate | Validates incoming payloads against a schema to ensure correct data structure. |
| Policy | Description |
|---|---|
| Authenticate | Validates client identity using the configured authentication provider. |
| Authorize | Enforces access control by checking roles or permissions. |
| CORS | Applies Cross-Origin Resource Sharing rules for browser-based clients. |
| Extract Identity | Extracts identity attributes from tokens or headers and stores them in context. |
| IBM Cloud Login | Authenticates clients using IBM Cloud App ID. |
| Set Authorization | Sets outbound authorization information for backend requests. |
| SQL Injection Filter | Detects and blocks SQL injection patterns in incoming requests. |
| Policy | Description |
|---|---|
| Handlebars Template | Generates output using a Handlebars template with runtime values. |
| Parse | Converts raw input into structured JSON or XML for downstream processing. |
| Redact | Masks or removes sensitive data from headers, parameters, or payloads. |
| Remove | Deletes specific headers, query parameters, or elements from the message. |
| Telemetry | Captures request or response details for monitoring and diagnostics. |
| Transform | Modifies or restructures payload content using defined transformation rules. |