Adding policies to an API

Learn how to add policies to an API.

About this task

Add a policy to an API to enforce rules and manage API behavior.

Procedure

  1. From the Quick start page, click Add a policy sequence.
    The Add policy sequence pop-up window appears.
  2. Select the gateway. Available options are DataPower Nano Gateway, DataPower Gateway (v5c) DataPower API Gateway, and webMethods API Gateway.
  3. Provide the policy sequence details.
    • Policy sequence name
    • Namespace
    • Version
    • Tags
  4. Select the API and click Add.

    The policy sequence is created under Policy sequences section.

  5. For webMethods API Gateway, the Policy configuration section appears.
    1. In this section, select the required policy from the list.
    2. You can add a new policy or refer to an existing one.
    3. The selected policies appear in the Selected policies section.
    4. Specify the required details in the policy form. For more information about the available field configurations in the supported policies, see webMethods API Gateway policies.
  6. For DataPower Nano Gateway and DataPower API Gateway, the Build assembly flow window appears.
    1. Select the policies from the Build assembly flow window.

      The policies are grouped under the following categories:

      • Logic. Controls the execution flow and conditional processing of APIs.
      • Actions. Defines define operations such as invoking services, applying traffic controls, and integrating AI capabilities, including Azure OpenAI, OpenAI, and Gemini actions.
      • Security. Manages authentication, authorization, and other security mechanisms.
      • Transforms. Handles message and data transformations different data structures.
      For more information about the available field configurations in the supported policies, see DataPower Nano Gateway API policies and DataPower API policies and logic constructs.
    2. For DataPower API Gateway, configure Additional settings as required.

      Catalog publish settings

      • Enforced. Publishes the API to the selected gateway catalog. When disabled, the API is treated as external and is not routed through gateway enforcement.
      • Testable. Displays the API with a Try it now tag in the developer portal, allowing testing.
      • Development phase. Specifies the current stage of API development.

      DataPower gateway settings (API Gateway and v5-compatible Gateway)

      • Activity log. Use the activity log property to specify the data that is stored in API event records for calls to the API. The activity log property provides separate settings for successful API calls and failed API calls. The available activity log options are as follows:
        • Activity. Logs the API resource URI. activity is the default log setting for successful API calls.
        • Header. Logs the API resource URI and HTTP headers.
        • Payload. Logs API resource URI, HTTP headers, and request and response payloads. payload is the default log setting for failed API calls, since the response payload might have useful information on the cause of the failure.
        • None. API events are not logged.
      • Application authentication. Specifies application authentication settings for an API. The available application authentication options are as follows:
        • TLS certificate. When the API is called, the TLS client certificate is sent to the Gateway service and is used to verify that the API caller holds the corresponding private key.
        • Header. When the API is called, an X509 client certificate must be supplied in the specified HTTP header. For any Developer Portal application that calls the API, the certificate must be entered in the Developer Portal user interface; for details, see Registering an application. If you are using a load balancer, you must configure the load balancer to use the specified HTTP header to relay the appropriate client certificate to the Gateway service after the load balancer terminates the TLS communication.
      • Target. Defines target endpoint settings for API requests.
      • Compatibility. Configures compatibility options for v5-compatible gateways. The available compatibility options are as follows:
        • Enforce required parameters. Check the request for required parameters during API routing. When enabled, a request that does not provide a required parameter is rejected.
        • Allow chunked uploads. Allow the assembly invoke policy to send documents to the server with Transfer-Encoding: chunked. This setting applies only to the invoke 1.5.0 wrapper policy deployed from API Connect using the migration utility. It does not apply to the native API Gateway assembly invoke policy.
        • Copy ID headers to message. Copy security headers to the message context for retrieval by the invoke back-end service.
        • Return V5 style responses. Return v5-compatible responses, such as OAuth and client security error responses.
      • Catalog properties. Defines catalog-specific attributes as key-value pairs used during gateway deployment. Configure these properties to apply values that are unique to a particular catalog.