Digital Sign Verification Policy
General Information
Policy Type
policy-digital-sign-verification
Description
Digital Sign Verification policy verifies digital signatures using cryptographic keys or certificates. It validates signatures against source data and ensures data integrity and authenticity. This policy provides signature verification capabilities for incoming requests or responses.
Endpoints
List Policies
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Add Policy
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Update Policy
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Delete Policy
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
List Policies
Endpoint
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
Response
Success Response (200 OK)
{
"status": "SUCCESS",
"resultList": [
{
"apiProxy": {
"name": "MyAPI",
"requestPolicyList": [
{
"type": "policy-digital-sign-verification",
"name": "digital-sign-verification-policy",
"description": "Verify request signatures",
"active": true,
"digitalSignVerificationDefList": [
{
"description": "Verify request body signature",
"sourceVar": {
"type": "BODY",
"bodyJsonPath": "$"
},
"signatureVar": {
"type": "HEADER",
"headerName": "X-Signature"
},
"signatureAlgorithm": "SHA256withRSA",
"signatureAlgorithmVar": null,
"keyCertificateType": "KEY",
"keyName": "my-verification-key",
"certificateName": null,
"inputEncodingType": "BASE64"
}
]
}
],
"responsePolicyList": [],
"errorPolicyList": []
}
}
],
"resultCount": 1
}
cURL Example
curl -X GET \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
-H "Authorization: Bearer YOUR_TOKEN"
Add Policy
Endpoint
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example - Verify with Key
{
"operationMetadata": {
"targetScope": "API_PROXY",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-digital-sign-verification",
"description": "Verify request signatures",
"active": true,
"digitalSignVerificationDefList": [
{
"description": "Verify request body signature",
"sourceVar": {
"type": "BODY",
"bodyJsonPath": "$"
},
"signatureVar": {
"type": "HEADER",
"headerName": "X-Signature"
},
"signatureAlgorithm": "SHA256withRSA",
"signatureAlgorithmVar": null,
"keyCertificateType": "KEY",
"keyName": "my-verification-key",
"certificateName": null,
"inputEncodingType": "BASE64"
}
]
}
}
Full JSON Body Example - Verify with Certificate
{
"operationMetadata": {
"targetScope": "API_PROXY",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-digital-sign-verification",
"description": "Verify request signatures with certificate",
"active": true,
"digitalSignVerificationDefList": [
{
"description": "Verify request body signature",
"sourceVar": {
"type": "BODY",
"bodyJsonPath": "$"
},
"signatureVar": {
"type": "HEADER",
"headerName": "X-Signature"
},
"signatureAlgorithm": "SHA256withRSA",
"signatureAlgorithmVar": null,
"keyCertificateType": "CERTIFICATE",
"keyName": null,
"certificateName": "my-verification-certificate",
"inputEncodingType": "BASE64"
}
]
}
}
Full JSON Body Example - Dynamic Algorithm from Variable
{
"operationMetadata": {
"targetScope": "API_PROXY",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-digital-sign-verification",
"description": "Verify with dynamic algorithm",
"active": true,
"digitalSignVerificationDefList": [
{
"description": "Verify with algorithm from variable",
"sourceVar": {
"type": "BODY",
"bodyJsonPath": "$"
},
"signatureVar": {
"type": "HEADER",
"headerName": "X-Signature"
},
"signatureAlgorithm": null,
"signatureAlgorithmVar": {
"type": "HEADER",
"headerName": "X-Signature-Algorithm"
},
"keyCertificateType": "KEY",
"keyName": "my-verification-key",
"certificateName": null,
"inputEncodingType": "BASE64"
}
]
}
}
Request Body Fields
operationMetadata
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| targetScope | string | Yes | - | Policy scope: API_PROXY or ENDPOINT |
| targetEndpoint | string | No* | - | Endpoint path (required if targetScope=ENDPOINT) |
| targetEndpointHTTPMethod | string | No* | - | HTTP method (required if targetScope=ENDPOINT) |
| targetPipeline | string | Yes | - | Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy | boolean | No | true | Whether to deploy after adding policy |
| deployTargetEnvironmentNameList | array | No | [] | List of environment names to deploy to |
| order | integer | No | null | Policy execution order (starts from 1) |
Enum: targetScope
API_PROXY- Policy applies to all endpointsENDPOINT- Policy applies only to specified endpoint
Enum: targetPipeline
REQUEST- Executes in request pipeline (verifies request signatures)RESPONSE- Executes in response pipeline (verifies response signatures)ERROR- Executes in error pipeline
Enum: targetEndpointHTTPMethod
GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD
policy
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| type | string | Yes | - | Policy type: policy-digital-sign-verification |
| description | string | No | - | Policy description |
| active | boolean | No | true | Whether policy is active |
| digitalSignVerificationDefList | array | Yes | - | List of verification definitions (at least one required) |
Note: digitalSignVerificationDefList must contain at least one verification definition.
digitalSignVerificationDefList
Each verification definition is an object with the following fields:
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| description | string | No | - | Verification definition description |
| sourceVar | object | Yes | - | Source variable containing data to verify |
| signatureVar | object | Yes | - | Variable containing signature to verify |
| signatureAlgorithm | string | No* | null | Signature algorithm (required if signatureAlgorithmVar not provided) |
| signatureAlgorithmVar | object | No* | null | Variable containing signature algorithm name (required if signatureAlgorithm not provided) |
| keyCertificateType | string | No | KEY | Key or certificate type: KEY or CERTIFICATE |
| keyName | string | No* | null | Key name (resolved to ID automatically). Required if keyCertificateType=KEY |
| certificateName | string | No* | null | Certificate name (resolved to ID automatically). Required if keyCertificateType=CERTIFICATE |
| inputEncodingType | string | No | BASE64 | Input encoding type: BASE64 or HEXADECIMAL |
EnumSignatureAlgorithm
- RSA algorithms:
NONEwithRSA,MD2withRSA,MD5withRSA,SHA1withRSA,SHA224withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA - DSA algorithms:
NONEwithDSA,SHA1withDSA,SHA224withDSA,SHA256withDSA - ECDSA algorithms:
NONEwithECDSA,SHA1withECDSA,SHA224withECDSA,SHA256withECDSA,SHA384withECDSA,SHA512withECDSA
EnumKeyCertificateType
KEY- Use public key from CryptoKeyInfo by nameCERTIFICATE- Use certificate by name (extracts public key from certificate)
EnumEncodingType
BASE64- Base64 encoding (matches BASE64 output from sign policy)HEXADECIMAL- Hexadecimal encoding (matches HEXADECIMAL output from sign policy)
Note
sourceVarandsignatureVarare required.- Either
signatureAlgorithmorsignatureAlgorithmVarmust be provided. - If
keyCertificateType: KEY,keyNameis required. - If
keyCertificateType: CERTIFICATE,certificateNameis required. inputEncodingTypemust match theoutputEncodingTypeused when signing.
Response
Success Response (200 OK)
{
"status": "SUCCESS",
"resultList": null,
"resultCount": null,
"deploymentResult": {
"envName": "production",
"podName": "",
"podIp": "",
"success": true,
"detail": "",
"responseTime": 123,
"detailList": []
}
}
cURL Example
curl -X POST \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/digital-sign-verification-policy/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "API_PROXY",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-digital-sign-verification",
"description": "Verify request signatures",
"active": true,
"digitalSignVerificationDefList": [
{
"sourceVar": {
"type": "BODY",
"bodyJsonPath": "$"
},
"signatureVar": {
"type": "HEADER",
"headerName": "X-Signature"
},
"signatureAlgorithm": "SHA256withRSA",
"keyCertificateType": "KEY",
"keyName": "my-verification-key",
"inputEncodingType": "BASE64"
}
]
}
}'
Update Policy
Endpoint
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Note: Request body structure is the same as Add Policy. All fields should be provided for update.
Response
Success Response (200 OK)
{
"status": "SUCCESS",
"resultList": null,
"resultCount": null,
"deploymentResult": {
"envName": "production",
"podName": "",
"podIp": "",
"success": true,
"detail": "",
"responseTime": 123,
"detailList": []
}
}
Delete Policy
Endpoint
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
Headers
| Header | Value |
|---|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "API_PROXY",
"targetPipeline": "REQUEST",
"deploy": false
}
}
Response
Success Response (200 OK)
{
"status": "SUCCESS",
"resultList": null,
"resultCount": null,
"deploymentResult": null
}
Notes and Warnings
-
Signature Algorithms:
- RSA:
SHA256withRSA,SHA384withRSA,SHA512withRSA(recommended) - ECDSA:
SHA256withECDSA,SHA384withECDSA,SHA512withECDSA(for elliptic curve) - DSA:
SHA1withDSA,SHA224withDSA,SHA256withDSA(legacy)
- RSA:
-
Key/Certificate Type:
KEY- Uses public key from CryptoKeyInfo (requireskeyName)CERTIFICATE- Extracts public key from certificate (requirescertificateName)
-
Input Encoding:
BASE64- Base64 encoding (must match sign policy output)HEXADECIMAL- Hexadecimal encoding (must match sign policy output)
-
Source Variable: Variable containing data that was signed (must match original signed data)
-
Signature Variable: Variable containing signature to verify
-
Signature Algorithm:
- Can be specified directly via
signatureAlgorithm - Can be extracted from variable via
signatureAlgorithmVar - Must match algorithm used for signing
- Can be specified directly via
-
Key Management:
- CryptoKeyInfo or Certificate must be configured in Apinizer
- Keys and certificates are referenced by name; the system resolves them to internal IDs automatically
- Public key must be accessible for verification
- Key must match signature algorithm (RSA key for RSA algorithms, ECDSA key for ECDSA algorithms)
-
Verification Failure:
- Invalid signature causes verification to fail
- Policy execution stops and error is returned
- Request/response is blocked if verification fails
-
Performance: Signature verification adds cryptographic processing overhead. Use for necessary integrity/authenticity checks only.
-
Pipeline:
REQUESTpipeline verifies request signatures before processingRESPONSEpipeline verifies response signatures before sending to client
-
Error Handling: Invalid signature, missing data, or algorithm mismatch causes verification to fail
-
Deployment: Policy changes require deployment to take effect. Set
deploy: trueor deploy manually.
Related Documentation
- List Policies - List all policies
- Add Policy - General policy addition guide
- Update Policy - General policy update guide
- Delete Policy - General policy deletion guide
- Digital Sign Policy - Generate digital signatures