Built-in policies

Built-in policies are configured in the context of an API. You can use the API Manager assembly editor to add a built-in policy to an API and to configure the properties for that policy.

You can also add built-in policies to an API by creating an OpenAPI definition file. For more information, see Creating an OpenAPI definition file.

The following table shows the list of built-in policies that are available. The table contains links to configuration information for both the built-in policy definitions, and the OpenAPI policy definitions. The policies are the same, but they are created in different ways.

Table 1. Built-in policies

Built-in policy	OpenAPI policy	Description
Activity Log	activity-log	Use the Activity Log policy to configure your logging preferences for the API activity that is stored in IBM API Connect analytics. The preferences that you specify will override the default settings for collecting and storing details of the API activity. Note: The Activity Log policy is not supported in the assembly for an API whose gateway type is DataPower API Gateway. Instead, you configure activity logging in the API design settings. For details, see Activity logging with the DataPower API Gateway.		Functionality provided in the API design; see Activity logging with the DataPower API Gateway
Client Security	client-security	Provides a range of options for authenticating client access to your APIs, extending the capabilities of the OpenAPI specification.		Available from V2018.4.1.5
GatewayScript	gatewayscript	Use the gatewayscript policy to execute a specified DataPower GatewayScript program.		Available from V2018.4.1.0
Generate JWT	jwt-generate	Use the Generate JWT security policy in IBM API Connect to generate a JSON Web Token (JWT).
Validate JWT	jwt-validate	Use the Validate JWT security policy to enable the validation of a JSON Web Token (JWT) in a request before allowing access to the APIs.
if	if	Use the if policy to apply a section of the assembly when a condition is fulfilled.		Available from V2018.4.1.0; functionality provided by switch
Invoke	invoke	Apply the Invoke policy to call another service from within your assembly. The response from the backend is stored either in the variable message.body or in the response object variable if it is defined. The policy can be used with JSON or XML data, and can be applied multiple times within your assembly.
JSON to XML	json-to-xml	Use the JSON to XML policy to convert the context payload of your API from the JavaScript Object Notation (JSON) format to the extensible markup language (XML) format.
Log	log	Use the Log policy to customize or override the default activity logging configuration for an API.		Available from V2018.4.1.7
Map	map	Use the Map policy to apply transformations to your assembly flow and specify relationships between variables.
operation-switch	operation-switch	Use the operation-switch policy to apply a section of the assembly to a specific operation.		Available from V2018.4.1.0; functionality provided by switch
OAuth	oauth	Use the OAuth policy to policy to perform OAuth processing based on defined OAuth provider settings.
Parse	parse	Use the Parse policy to control the parsing of an input document. When the input document is a JSON string, the string is parsed instead of copied over.
Proxy	proxy	Apply the Proxy policy to invoke another API within your assembly, particularly if the separate API contains a large payload. The response from the backend is stored in the message.body and in the response object variable if it is defined. Only one policy is permitted to be run per unique assembly flow.		Functionality provided by Invoke
Rate Limit	ratelimit	Use the Rate Limit policy to apply one or more rate or burst limits at any point in your API assembly flow. Rate and burst limits restrict the number of calls that an application can make to an API in a specified time period.		Available from V2018.4.1.7
Redaction Redaction - DataPower API Gateway Redaction - DataPower Gateway (v5 compatible)	redact - DataPower API Gateway redact - DataPower Gateway (v5 compatible)	Use the Redaction policy to completely remove or to redact specified fields from the Request body, the Response body, and the activity logs. You might find this policy useful for removing or blocking out sensitive data (for example, credit card details) for legal, security, or other reasons.		Available from V2018.4.1.7
Set Variable	set-variable	Use the Set Variable policy to set the value of a runtime variable, or to clear a runtime variable, or to add a header variable.		Available from V2018.4.1.0
switch	switch	Use the switch policy to execute one of a number of sections of the assembly based on which specified condition is fulfilled.		Available from V2018.4.1.0
throw	throw	Use the throw policy to throw an error when it is reached during the execution of an assembly flow.		Available from V2018.4.1.0
User Security	user-security	Use the user-security policy to extract a user's credentials, authenticate those credentials, and obtain authorization from the user.
Validate Validate - DataPower API Gateway Validate - DataPower Gateway (v5 compatible)	validate - DataPower API Gateway validate - DataPower Gateway (v5 compatible)	Use the Validate policy to validate the payload in an assembly flow against a JSON or an XML schema.		Available from V2018.4.1.0
Validate Username Token	validate-usernametoken	Use the Validate Username Token policy to validate a Web Services Security (WS-Security) UsernameToken in a SOAP payload before allowing access to the protected resource.
XML to JSON	xml-to-json	Use the XML to JSON policy to convert the context payload of your API from the extensible markup language (XML) format to JavaScript Object Notation (JSON).
XSLT	xslt	Use the XSLT policy to apply an XSLT transform to the payload of the API definition.		Available from V2018.4.1.0