API Call Policy
General Information
Policy Type
policy-api-call
Endpoints
List Policies
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Add Policy
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Update Policy
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Delete Policy
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
List Policies
Endpoint
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
Response
Success Response (200 OK)
{
"success": true,
"resultList": [
{
"apiProxy": {
"name": "MyAPI",
"requestPolicyList": [
{
"type": "policy-api-call",
"name": "external-api-call",
"description": "Call external API for validation",
"active": true,
"callType": "SYNCHRONOUS",
"httpMethod": "POST",
"url": "https://api.example.com/validate",
"timeout": 5000,
"certificateEnabled": false,
"enableCache": false
}
],
"responsePolicyList": [],
"errorPolicyList": []
}
}
],
"resultCount": 1
}
cURL Example
curl -X GET \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
-H "Authorization: Bearer YOUR_TOKEN"
Add Policy
Endpoint
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example - Synchronous Call with Cache
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-api-call",
"description": "Call external validation API with caching",
"active": true,
"callType": "SYNCHRONOUS",
"httpMethod": "POST",
"url": "https://api.example.com/validate",
"timeout": 5000,
"certificateEnabled": false,
"clearBodyBeforeCall": false,
"useMessageTemplateBeforeCall": true,
"enumTestConsoleRequestBodyType": "JSON",
"bodyContentBeforeCall": "{\n \"userId\": \"${userId}\",\n \"action\": \"validate\"\n}",
"urlEncodedList": [],
"dataManipulationListBeforeCall": [],
"removeAllHeadersBeforeCall": true,
"headersToBeDeletedBeforeCallList": [],
"headersToBeAddedBeforeCallList": [
{
"name": "Content-Type",
"valueSource": "VALUE",
"value": "application/json",
"prefix": null
},
{
"name": "Authorization",
"valueSource": "VARIABLE",
"variable": {
"type": "HEADER",
"headerName": "Authorization"
},
"prefix": "BEARER"
}
],
"removeAllParametersBeforeCall": true,
"parametersToBeDeletedBeforeCallList": [],
"parametersToBeAddedBeforeCallList": [
{
"name": "apiKey",
"valueSource": "VALUE",
"value": "your-api-key"
}
],
"enableCache": true,
"cacheBy": {
"type": "HEADER",
"headerName": "Authorization"
},
"capacity": 1000,
"ttl": 3600,
"cacheNullResponses": false,
"cacheStorageType": "DISTRIBUTED",
"enableDynamicTtl": true,
"dynamicTtlVariable": {
"type": "BODY",
"bodyExpression": "$.expireAt"
},
"dynamicTtlSourceType": "ISO_8601_DATETIME",
"dynamicTtlCustomDatePattern": null,
"dynamicTtlIsJwt": false,
"dynamicTtlJwtClaimName": null,
"dynamicTtlOffsetSeconds": 30,
"fallbackTtl": 300,
"afterCallBodyOperationType": "REPLACE_BODY",
"useMessageTemplateAfterCall": false,
"messageTemplateContentTypeAfterCall": "JSON",
"bodyContentAfterCall": null,
"dataManipulationListAfterCall": [],
"removeAllHeadersAfterCall": false,
"headersToBeDeletedAfterCallList": [],
"headersToBeAddedAfterCallList": [],
"removeAllParametersAfterCall": false,
"parametersToBeDeletedAfterCallList": [],
"parametersToBeAddedAfterCallList": [],
"prepareMessage": false,
"modifyMessage": false,
"newBodyContentSourceType": null
}
}
Request Body Fields
operationMetadata
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| targetScope | string | Yes | - | Policy scope: ALL or ENDPOINT |
| targetEndpoint | string | No* | - | Endpoint path (required if targetScope=ENDPOINT) |
| targetEndpointHTTPMethod | string | No* | - | HTTP method (required if targetScope=ENDPOINT) |
| targetPipeline | string | Yes | - | Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy | boolean | No | true | Whether to deploy after adding policy |
| deployTargetEnvironmentNameList | array | No | [] | List of environment names to deploy to |
| order | integer | No | null | Policy execution order (starts from 1) |
Enum: targetScope
ALL- Policy applies to all endpointsENDPOINT- Policy applies only to specified endpoint
Enum: targetPipeline
REQUEST- Executes in request pipelineRESPONSE- Executes in response pipelineERROR- Executes in error pipeline
Enum: targetEndpointHTTPMethod
GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD
policy
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| type | string | Yes | - | Policy type: policy-api-call |
| description | string | No | - | Policy description |
| active | boolean | No | true | Whether policy is active |
| callType | string | Yes | - | Call type: SYNCHRONOUS or ONE_WAY |
| httpMethod | string | Yes | - | HTTP method for API call |
| url | string | Yes | - | Target API URL |
| timeout | integer | No | - | Request timeout in milliseconds |
| certificateName | string | No | - | Certificate name for mTLS (required if certificateEnabled=true) |
| certificateEnabled | boolean | No | false | Enable mTLS certificate |
| clearBodyBeforeCall | boolean | No | false | Clear request body before API call |
| useMessageTemplateBeforeCall | boolean | No | true | Use message template for request body |
| enumTestConsoleRequestBodyType | string | No | XML | Request body content type |
| bodyContentBeforeCall | string | No | - | Request body template |
| urlEncodedList | array | No | [] | URL encoded form parameters |
| dataManipulationListBeforeCall | array | No | [] | Data manipulation for request |
| removeAllHeadersBeforeCall | boolean | No | true | Remove all headers before call |
| headersToBeDeletedBeforeCallList | array | No | [] | Headers to delete before call |
| headersToBeAddedBeforeCallList | array | No | [] | Headers to add before call |
| removeAllParametersBeforeCall | boolean | No | true | Remove all parameters before call |
| parametersToBeDeletedBeforeCallList | array | No | [] | Parameters to delete before call |
| parametersToBeAddedBeforeCallList | array | No | [] | Parameters to add before call |
| enableCache | boolean | No | false | Enable response caching |
| cacheBy | object | No | - | Variable for cache key |
| capacity | integer | No* | - | Cache capacity (required if enableCache=true) |
| ttl | integer | No* | - | Cache TTL in seconds (required if enableCache=true) |
| cacheNullResponses | boolean | No | true | Cache null/error responses |
| cacheStorageType | string | No | DISTRIBUTED | Cache storage type |
| enableDynamicTtl | boolean | No | false | Enable dynamic TTL calculation from API response |
| dynamicTtlVariable | object | No* | - | Variable from which the TTL value will be read (required if enableDynamicTtl=true) |
| dynamicTtlSourceType | string | No* | - | Format of the dynamic TTL value (required if enableDynamicTtl=true) |
| dynamicTtlCustomDatePattern | string | No* | - | Custom date-time pattern (required if dynamicTtlSourceType=CUSTOM_DATETIME) |
| dynamicTtlIsJwt | boolean | No | false | Whether the source variable value is inside a JWT token |
| dynamicTtlJwtClaimName | string | No* | - | JWT claim name to read after decoding (required if dynamicTtlIsJwt=true) |
| dynamicTtlOffsetSeconds | integer | No | 0 | Safety margin in seconds subtracted from the calculated TTL |
| fallbackTtl | integer | No | - | Fallback TTL in seconds when dynamic TTL cannot be calculated |
| afterCallBodyOperationType | string | No | - | Operation on original body after call |
| useMessageTemplateAfterCall | boolean | No | true | Use message template after call |
| messageTemplateContentTypeAfterCall | string | No | XML | Response body content type |
| bodyContentAfterCall | string | No | - | Response body template |
| dataManipulationListAfterCall | array | No | [] | Data manipulation for response |
| removeAllHeadersAfterCall | boolean | No | false | Remove all headers after call |
| headersToBeDeletedAfterCallList | array | No | [] | Headers to delete after call |
| headersToBeAddedAfterCallList | array | No | [] | Headers to add after call |
| removeAllParametersAfterCall | boolean | No | false | Remove all parameters after call |
| parametersToBeDeletedAfterCallList | array | No | [] | Parameters to delete after call |
| parametersToBeAddedAfterCallList | array | No | [] | Parameters to add after call |
| prepareMessage | boolean | No | false | Prepare message flag |
| modifyMessage | boolean | No | false | Modify message flag |
| newBodyContentSourceType | string | No | - | Source type for new body content |
EnumPolicyRestApiCallType
SYNCHRONOUS- Two-way call, waits for response (supports caching)ONE_WAY- Fire-and-forget call, no response expected (no caching)
EnumHttpRequestMethod
GET- GET requestPOST- POST requestPUT- PUT requestDELETE- DELETE requestPATCH- PATCH requestOPTIONS- OPTIONS requestHEAD- HEAD request
EnumMessageTemplateContentType
XML- XML contentJSON- JSON contentRAW- Raw text contentURL_ENCODED- application/x-www-form-urlencoded
EnumCacheStorageType
LOCAL- Local cache (per node)DISTRIBUTED- Distributed cache (shared across nodes)
EnumOriginalMessageOperationType
NOT_CHANGE_BODY- Keep original body unchangedREPLACE_BODY- Replace original body with API call responseCLEAR_BODY- Clear original body after call
EnumMessageTemplateContentType (After Call)
XML- XML contentJSON- JSON contentRAW- Raw text content
EnumBodyContentSourceType
VALUE- Use static valueVARIABLE- Use variable value
EnumDynamicTtlSourceType
ISO_8601_DATETIME- Standard ISO 8601 date format (e.g.,2026-03-26T15:30:00Z,2026-03-26T15:30:00+03:00)CUSTOM_DATETIME- Custom format using Java DateTimeFormatter pattern (requiresdynamicTtlCustomDatePattern)EPOCH_SECONDS- Unix epoch timestamp in seconds (e.g.,1743004200)EPOCH_MILLISECONDS- Unix epoch timestamp in milliseconds (e.g.,1743004200000)EXPIRES_IN_SECONDS- Relative duration in seconds (e.g.,300for 5 minutes)EXPIRES_IN_MILLISECONDS- Relative duration in milliseconds (e.g.,300000for 5 minutes)TTL_STRING- Human-readable duration string (e.g.,1h,30m,3600s)
Note
urlandhttpMethodare required.callTypeis required.- If
enableCache: true,capacityandttlare required (unlessenableDynamicTtl: true), andcallTypemust beSYNCHRONOUS. - If
enableDynamicTtl: true,dynamicTtlVariableanddynamicTtlSourceTypeare required. When dynamic TTL is enabled, the staticttlfield is used as fallback only iffallbackTtlis not specified. - If
dynamicTtlSourceType: CUSTOM_DATETIME,dynamicTtlCustomDatePatternis required. - If
dynamicTtlIsJwt: true,dynamicTtlJwtClaimNameis required. - If
certificateEnabled: true,certificateNameis required.
headersToBeAddedBeforeCallList / headersToBeAddedAfterCallList
Each header is an object with the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Header name |
| description | string | No | Header description |
| valueSource | string | Yes | Value source: VALUE or VARIABLE |
| value | string | No* | Header value (required if valueSource=VALUE) |
| variable | object | No* | Variable object (required if valueSource=VARIABLE) |
| prefix | string | No | Header prefix |
EnumValueSource
VALUE- Use static valueVARIABLE- Extract from variable
EnumRestApiHeaderPrefix
NONE- No prefixBASIC- Basic prefix (for Authorization header)BEARER- Bearer prefix (for Authorization header)DIGEST- Digest prefix (for Authorization header)
Note
- If
valueSource: VALUE, providevalue. - If
valueSource: VARIABLE, providevariableobject.
parametersToBeAddedBeforeCallList / parametersToBeAddedAfterCallList
Each parameter is an object with the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Parameter name |
| description | string | No | Parameter description |
| valueSource | string | Yes | Value source: VALUE or VARIABLE |
| value | string | No* | Parameter value (required if valueSource=VALUE) |
| variable | object | No* | Variable object (required if valueSource=VARIABLE) |
EnumValueSource
VALUE- Use static valueVARIABLE- Extract from variable
Note
- If
valueSource: VALUE, providevalue. - If
valueSource: VARIABLE, providevariableobject.
urlEncodedList
Each form parameter is an object with the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
| key | string | Yes | Form parameter key |
| value | string | Yes | Form parameter value |
| description | string | No | Parameter description |
Note: Used when enumTestConsoleRequestBodyType: URL_ENCODED.
dataManipulationListBeforeCall / dataManipulationListAfterCall
Each data manipulation is an object with the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
| operation | string | Yes | Operation type: ADD, ADD_OR_EDIT, or DELETE |
| sourceValueSource | string | No | Source value source: VALUE or VARIABLE |
| sourceVar | object | No | Source variable |
| sourceValue | string | No | Source value |
| targetName | string | Yes | Target field name/path |
| targetValueSource | string | No | Target value source: VALUE or VARIABLE |
| targetVar | object | No | Target variable |
| targetValue | string | No | Target value |
EnumRestApiDataManipulationDefOperation�
ADD- Add new fieldADD_OR_EDIT- Add or edit existing fieldDELETE- Delete field
EnumValueSource
VALUE- Use static valueVARIABLE- Extract from variable
cacheBy
Variable object for cache key generation:
| Field | Type | Required | Description |
|---|---|---|---|
| type | string | Yes | Variable type: HEADER, PARAMETER, BODY, CONTEXT, SCRIPT |
| headerName | string | No* | Header name (required if type=HEADER) |
| paramName | string | No* | Parameter name (required if type=PARAMETER) |
| contextValue | string | No* | Context value (required if type=CONTEXT) |
Note: Cache key is generated from the specified variable. If not provided, entire request is used as cache key.
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
cURL Example
curl -X POST \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/external-api-call/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-api-call",
"description": "Call external API",
"active": true,
"callType": "SYNCHRONOUS",
"httpMethod": "POST",
"url": "https://api.example.com/validate",
"timeout": 5000,
"removeAllHeadersBeforeCall": true,
"headersToBeAddedBeforeCallList": [
{
"name": "Content-Type",
"valueSource": "VALUE",
"value": "application/json"
}
],
"enableCache": false
}
}'
Update Policy
Endpoint
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-api-call",
"description": "Updated: Call external validation API with enhanced caching",
"active": true,
"callType": "SYNCHRONOUS",
"httpMethod": "POST",
"url": "https://api.example.com/v2/validate",
"timeout": 8000,
"certificateEnabled": false,
"clearBodyBeforeCall": false,
"useMessageTemplateBeforeCall": true,
"enumTestConsoleRequestBodyType": "JSON",
"bodyContentBeforeCall": "{\n \"userId\": \"${userId}\",\n \"action\": \"validate\",\n \"timestamp\": \"${timestamp}\"\n}",
"urlEncodedList": [],
"dataManipulationListBeforeCall": [],
"removeAllHeadersBeforeCall": true,
"headersToBeDeletedBeforeCallList": [],
"headersToBeAddedBeforeCallList": [
{
"name": "Content-Type",
"valueSource": "VALUE",
"value": "application/json",
"prefix": null
},
{
"name": "Authorization",
"valueSource": "VARIABLE",
"variable": {
"type": "HEADER",
"headerName": "Authorization"
},
"prefix": "BEARER"
},
{
"name": "X-Request-ID",
"valueSource": "VARIABLE",
"variable": {
"type": "HEADER",
"headerName": "X-Request-ID"
},
"prefix": null
}
],
"removeAllParametersBeforeCall": true,
"parametersToBeDeletedBeforeCallList": [],
"parametersToBeAddedBeforeCallList": [
{
"name": "apiKey",
"valueSource": "VALUE",
"value": "updated-api-key-2024"
},
{
"name": "version",
"valueSource": "VALUE",
"value": "v2"
}
],
"enableCache": true,
"cacheBy": {
"type": "HEADER",
"headerName": "Authorization"
},
"capacity": 5000,
"ttl": 7200,
"cacheNullResponses": false,
"cacheStorageType": "DISTRIBUTED",
"afterCallBodyOperationType": "REPLACE_BODY",
"useMessageTemplateAfterCall": false,
"messageTemplateContentTypeAfterCall": "JSON",
"bodyContentAfterCall": null,
"dataManipulationListAfterCall": [],
"removeAllHeadersAfterCall": false,
"headersToBeDeletedAfterCallList": [],
"headersToBeAddedAfterCallList": [
{
"name": "X-Validated",
"valueSource": "VALUE",
"value": "true",
"prefix": null
}
],
"removeAllParametersAfterCall": false,
"parametersToBeDeletedAfterCallList": [],
"parametersToBeAddedAfterCallList": [],
"prepareMessage": false,
"modifyMessage": false,
"newBodyContentSourceType": null
}
}
Note: Request body structure is the same as Add Policy. All fields should be provided for update.
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
Delete Policy
Endpoint
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": false
}
}
Request Body Fields
operationMetadata
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| targetScope | string | Yes | - | Policy scope: ALL or ENDPOINT |
| targetPipeline | string | Yes | - | Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy | boolean | No | false | Whether to deploy after deletion |
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": []
}
}
Notes and Warnings
-
Call Type:
SYNCHRONOUS- Waits for response, supports cachingONE_WAY- Fire-and-forget, no caching support
-
Caching:
- Only available for
SYNCHRONOUScalls - Requires
capacityandttlwhen enabled (staticttlis optional ifenableDynamicTtl: true) - Cache key can be based on variable (e.g., Authorization header)
- Dynamic TTL: When
enableDynamicTtl: true, cache TTL is automatically calculated from a value in the API response (e.g.,expireAtfield, JWTexpclaim, orexpires_invalue). RequiresdynamicTtlVariableanddynamicTtlSourceType. UsedynamicTtlOffsetSecondsas safety margin andfallbackTtlas fallback when dynamic calculation fails.
- Only available for
-
mTLS:
- Requires
certificateNamewhencertificateEnabled: true - Certificate name is resolved to certificate ID automatically
- Certificate must be configured in Certificate Store (project or global)
- Certificate is searched first in project, then in global certificates
- Requires
-
Request Transformation:
- Use
bodyContentBeforeCallwith variable placeholders (e.g.,${userId}) - Variables are replaced at runtime
- Use
-
Response Handling:
NOT_CHANGE_BODY- Original body remains unchangedREPLACE_BODY- Original body replaced with API responseCLEAR_BODY- Original body cleared
-
Headers and Parameters:
- Can remove all or specific headers/parameters
- Can add new headers/parameters with static values or variables
-
URL Encoded Forms:
- Use
urlEncodedListwhenenumTestConsoleRequestBodyType: URL_ENCODED
- Use
-
Data Manipulation:
- Add, edit, or delete fields in request/response
- Supports variable extraction and transformation
-
Timeout: Specified in milliseconds
-
Deployment: Policy changes require deployment to take effect. Set
deploy: trueor deploy manually.
Related Documentation
- List Policies - List all policies
- Add Policy - General policy addition guide
- Update Policy - General policy update guide
- Delete Policy - General policy deletion guide