Business Rule Policy
General Information
Policy Type
policy-business-rule
Endpoints
List Policies
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Add Policy
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Update Policy
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Delete Policy
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
List Policies
Endpoint
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
Response
Success Response (200 OK)
{
"success": true,
"resultList": [
{
"apiProxy": {
"name": "MyAPI",
"requestPolicyList": [
{
"type": "policy-business-rule",
"name": "business-rule-policy",
"description": "Add timestamp to request",
"active": true,
"actionList": [
{
"actionType": "ADD",
"sourceVar": {
"type": "CONTEXT_VALUES",
"contextValue": "NOW"
},
"sourceDataType": "STRING",
"targetValSource": "VALUE",
"targetVal": "${NOW}",
"targetVar": {
"type": "HEADER",
"headerName": "X-Timestamp"
}
}
]
}
],
"responsePolicyList": [],
"errorPolicyList": []
}
}
],
"resultCount": 1
}
cURL Example
curl -X GET \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
-H "Authorization: Bearer YOUR_TOKEN"
Add Policy
Endpoint
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example - Add Header
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-business-rule",
"description": "Add timestamp header",
"active": true,
"actionList": [
{
"actionType": "ADD",
"sourceVar": {
"type": "HEADER",
"headerName": "X-Source"
},
"targetVar": {
"type": "HEADER",
"headerName": "X-Timestamp"
},
"targetValSource": "VALUE",
"targetValue": "${now}",
"sourceDataType": "STRING"
}
]
}
}
Full JSON Body Example - Modify Value with Mask
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-business-rule",
"description": "Mask credit card number",
"active": true,
"actionList": [
{
"actionType": "MODIFY",
"sourceVar": {
"type": "BODY",
"bodyJsonPath": "$.creditCard"
},
"sourceDataType": "STRING",
"operator": "MASK",
"maskFrom": 4,
"maskTo": 12,
"targetValSource": "VALUE",
"targetVal": "****-****-****",
"targetVar": {
"type": "BODY",
"bodyJsonPath": "$.creditCard"
}
}
]
}
}
Full JSON Body Example - Conditional Stop with Custom Error Message
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-business-rule",
"description": "Stop request if unauthorized",
"active": true,
"actionList": [
{
"actionType": "STOP",
"policyCondition": {
"conditionType": "SIMPLE",
"variable": {
"type": "HEADER",
"headerName": "X-API-Key"
},
"operator": "IS_EMPTY"
},
"buildCustomMessage": true,
"customMessageHttpStatusCode": 401,
"customMessageContentType": "application/json;charset=UTF-8",
"customMessageTemplate": "{ \"error\": \"Unauthorized\", \"message\": \"X-API-Key header is required\" }"
}
]
}
}
Request Body Fields
operationMetadata
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| targetScope | string | Yes | - | Policy scope: ALL or ENDPOINT |
| targetEndpoint | string | No* | - | Endpoint path (required if targetScope=ENDPOINT) |
| targetEndpointHTTPMethod | string | No* | - | HTTP method (required if targetScope=ENDPOINT) |
| targetPipeline | string | Yes | - | Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy | boolean | No | true | Whether to deploy after adding policy |
| deployTargetEnvironmentNameList | array | No | [] | List of environment names to deploy to |
| order | integer | No | null | Policy execution order (starts from 1) |
Enum: targetScope
ALL- Policy applies to all endpointsENDPOINT- Policy applies only to specified endpoint
Enum: targetPipeline
REQUEST- Executes in request pipelineRESPONSE- Executes in response pipelineERROR- Executes in error pipeline
Enum: targetEndpointHTTPMethod
GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD
policy
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| type | string | Yes | - | Policy type: policy-business-rule |
| description | string | No | - | Policy description |
| active | boolean | No | true | Whether policy is active |
| actionList | array | Yes | - | List of actions to execute (at least one required) |
Note: actionList must contain at least one action.
actionList
Each action is an object with the following fields:
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| actionType | string | Yes | - | Action type: ADD, MODIFY, DELETE, or STOP |
| policyCondition | object | No | - | Condition for this action. When defined, the action only executes if the condition is met. Uses the same condition structure as policy-level conditions. |
| buildCustomMessage | boolean | No | false | Enable custom error message when action triggers (typically used with STOP action) |
| customMessageHttpStatusCode | integer | No | 403 | HTTP status code for the custom error message |
| customMessageContentType | string | No | "application/json;charset=UTF-8" | Content type for the custom error message |
| customMessageTemplate | string | No | "" | Custom error message body template. Supports variables (e.g., ${variable.name}) |
| sourceVar | object | No* | - | Source variable (required for ADD, MODIFY, DELETE) |
| sourceVarBodyInjectionFieldName | string | No | - | Body injection field name |
| sourceDataType | string | No* | - | Source data type (required for MODIFY) |
| sourceTemporalFormat | string | No | - | Temporal format (if sourceDataType=TEMPORAL) |
| operator | string | No* | - | Modification operator (required for MODIFY) |
| substringFrom | integer | No | - | Substring start index (for SUBSTRING operator) |
| substringTo | integer | No | - | Substring end index (for SUBSTRING operator) |
| maskFrom | integer | No | - | Mask start index (for MASK operator) |
| maskTo | integer | No | - | Mask end index (for MASK operator) |
| replaceSource | string | No | - | Replace source pattern (for REPLACE_IN/REPLACE_WITH) |
| insertOffset | integer | No | - | Insert offset (for INSERT operator) |
| temporalOperatorTimeUnit | string | No | - | Temporal time unit (for TEMPORAL operations) |
| replaceFirst | string | No | - | Replace first pattern (for REPLACE_FIRST) |
| targetValSource | string | No* | - | Target value source (required for ADD, MODIFY) |
| targetVal | string | No* | - | Target value (required if targetValSource=VALUE) |
| targetVar | object | No* | - | Target variable (required for ADD, MODIFY) |
| transformationContentType | string | No | - | Transformation content type |
| formatAllowsInvalid | boolean | No | false | Format allows invalid characters |
| formatValueContainsLiteralCharacters | boolean | No | false | Format value contains literal characters |
| formatInvalidCharacters | string | No | - | Format invalid characters |
| formatPlaceholder | string | No | - | Format placeholder |
| jsonToXmlIgnoreNull | boolean | No | false | JSON to XML ignore null |
| jsonToXmlIgnoreEmpty | boolean | No | false | JSON to XML ignore empty |
| jsonToXmlUseNullForNil | boolean | No | false | JSON to XML use null for nil |
| jsonToXmlUnwrapElement | boolean | No | false | JSON to XML unwrap element |
| xmlToJsonUnwrapElement | boolean | No | false | XML to JSON unwrap element |
| xmlToJsonIgnoreNull | boolean | No | false | XML to JSON ignore null |
| xmlToJsonIgnoreEmpty | boolean | No | false | XML to JSON ignore empty |
| xmlToJsonNumbersAsStrings | boolean | No | false | XML to JSON numbers as strings |
| xmlToJsonUseNullForNil | boolean | No | false | XML to JSON use null for nil |
| xmlToJsonArrayPathList | array | No | [] | XML to JSON array path list |
| claimJsonPath | string | No | - | JWT claim JSON path |
EnumActionType
ADD- Add new value to target variableMODIFY- Modify existing value in source variableDELETE- Delete value from source variableSTOP- Stop request/response flow
EnumActionSourceDataType
STRING- String data typeNUMERIC- Numeric data typeTEMPORAL- Date/time data type
EnumActionSourceValueModificationOperator
- Numeric operations:
ADD,SUBTRACT,MULTIPLY,DIVIDE,MODULUS,POWER - String operations:
CONCAT,REPLACE_IN,REPLACE_WITH,REPLACE_FIRST,SUBSTRING,MASK,FORMAT,TRANSFORM,INSERT,TRIM,ENCODE,DECODE,URL_ENCODE,URL_DECODE,EXTRACT_JWT_HEADER_CLAIM,EXTRACT_JWT_BODY_CLAIM - Temporal operations:
ADD_TEMPORAL,SUBTRACT_TEMPORAL
EnumValueSource
VALUE- Use static valueVARIABLE- Extract from variable
EnumTransformationContentType
XSLT- XSLT transformationJOLT- JOLT transformationXML2JSON- XML to JSON conversionJSON2XML- JSON to XML conversion
EnumTimeUnit
MILLISECOND,SECOND,MINUTE,HOUR,DAY,WEEK,MONTH,YEAR
Action Requirements
- ADD: Requires
sourceVar,targetValSource,targetVar. IftargetValSource=VALUE, requirestargetVal. - MODIFY: Requires
sourceVar,sourceDataType,operator,targetValSource. IftargetValSource=VALUE, requirestargetVal. Operator-specific fields required based on operator. - DELETE: Requires
sourceVaronly. - STOP: No additional fields required. Optionally use
buildCustomMessagewithcustomMessageHttpStatusCodeandcustomMessageTemplateto return a custom error response. - All actions optionally support
policyConditionto execute the action only when the condition is met.
Operator-Specific Fields
- SUBSTRING: Requires
substringFrom(and optionallysubstringTo) - MASK: Requires
maskFrom(and optionallymaskTo) - INSERT: Requires
insertOffset - TRANSFORM: Requires
transformationContentType - TEMPORAL: Requires
temporalOperatorTimeUnitandsourceTemporalFormat
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
cURL Example
curl -X POST \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/business-rule-policy/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-business-rule",
"description": "Add timestamp header",
"active": true,
"actionList": [
{
"actionType": "ADD",
"sourceVar": {
"type": "CONTEXT_VALUES",
"contextValue": "NOW"
},
"sourceDataType": "STRING",
"targetValSource": "VALUE",
"targetVal": "${NOW}",
"targetVar": {
"type": "HEADER",
"headerName": "X-Timestamp"
}
}
]
}
}'
Update Policy
Endpoint
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-business-rule",
"description": "Updated: Add timestamp and request ID headers",
"active": true,
"actionList": [
{
"actionType": "ADD",
"sourceVar": {
"type": "HEADER",
"headerName": "X-Source"
},
"targetVar": {
"type": "HEADER",
"headerName": "X-Timestamp"
},
"targetValSource": "VALUE",
"targetValue": "${now}",
"sourceDataType": "STRING"
},
{
"actionType": "ADD",
"sourceVar": {
"type": "HEADER",
"headerName": "User-Agent"
},
"targetVar": {
"type": "HEADER",
"headerName": "X-Request-ID"
},
"targetValSource": "VALUE",
"targetValue": "${uuid}",
"sourceDataType": "STRING"
}
]
}
}
Note: Request body structure is the same as Add Policy. All fields should be provided for update.
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
Delete Policy
Endpoint
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": false
}
}
Request Body Fields
operationMetadata
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| targetScope | string | Yes | - | Policy scope: ALL or ENDPOINT |
| targetPipeline | string | Yes | - | Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy | boolean | No | false | Whether to deploy after deletion |
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": []
}
}
Notes and Warnings
-
Action Types:
ADD- Adds new value to target variableMODIFY- Modifies existing value with operatorDELETE- Removes value from source variableSTOP- Stops request/response flow immediately
-
Operators:
- Numeric: ADD, SUBTRACT, MULTIPLY, DIVIDE, MODULUS, POWER
- String: CONCAT, REPLACE_IN, REPLACE_WITH, REPLACE_FIRST, SUBSTRING, MASK, FORMAT, TRANSFORM, INSERT, TRIM, ENCODE, DECODE, URL_ENCODE, URL_DECODE, EXTRACT_JWT_HEADER_CLAIM, EXTRACT_JWT_BODY_CLAIM
- Temporal: ADD_TEMPORAL, SUBTRACT_TEMPORAL
-
Action Requirements:
- ADD: Requires sourceVar, targetValSource, targetVar
- MODIFY: Requires sourceVar, sourceDataType, operator, targetValSource
- DELETE: Requires sourceVar only
- STOP: No additional fields required
-
Operator-Specific Fields: Required fields vary by operator (e.g., MASK requires maskFrom/maskTo)
-
Execution Order: Actions are executed in the order they appear in actionList
-
STOP Action: When STOP action executes, subsequent actions and policies are not executed. Use
buildCustomMessage: truewithcustomMessageHttpStatusCodeandcustomMessageTemplateto return a meaningful error response instead of the default 403. -
Action-Level Conditions: Each action can have its own
policyCondition. This allows conditional execution of individual actions within the same policy (e.g., stop only if a specific header is missing, or add a header only for certain content types). -
Performance: Business rules add processing overhead. Use efficiently.
-
Pipeline:
REQUESTpipeline executes actions on request before forwardingRESPONSEpipeline executes actions on response before sending to client
-
Error Handling: Invalid action configuration may cause policy execution to fail
-
Deployment: Policy changes require deployment to take effect. Set
deploy: trueor deploy manually.
Related Documentation
- List Policies - List all policies
- Add Policy - General policy addition guide
- Update Policy - General policy update guide
- Delete Policy - General policy deletion guide
- Redaction Policy - Remove or modify sensitive data