Rule reference
In APIM 3.0, you define rules to validate, authenticate, authorize, and configure request and response behavior as part of a Policy. Policies are re-usable. You can apply them to all Services, to individual Services, or to individual endpoints. Refer to Introduction to Policies for an overview of Policies and rules.
The available rules fall into the following categories:
- Validate
- Authenticate
- Authorize
- Shape (behavior such as caching, client throttling and retries, CORS and IP restrictions, and redirects)
- Transform (modify request before processing, response, or response headers)
- Outbound (authentication for upstream requests)
Expression-enabled rule fields with the equals icon, 
, support
the SnapLogic Expression Language and API Composer Functions. Click the dropdown on the
expression field to display the selector for operators, document values, and arrow functions. Disable
the expression icon to enter a literal string.
Rules Matrix
The documentation navigation pane lists rules alphabetically. The following table organizes them by category and provides a brief description:
| Name | Category | Description |
|---|---|---|
| Inbound TLS | Validate |
Validates that the client TLS certificate exists in the Groundplex truststore and is not expired. Doesn't apply to requests sent to a Cloudplex. |
| Early Request Validator | Validates a request before authentication and returns a customized response. | |
| JSON Validator | Validates a request against a JSON schema. | |
| SQL Threat Detector | Protects against the injection of SQL commands in the header, path, query, and payload of incoming HTTP requests. | |
| XML DTD Validator | Validates a request against the provided XML DTD schema. | |
| XML XSD Validator | Validates a request against the provided XML XSD schema. | |
| Anonymous Authenticator | Authenticate | Allows anonymous access to a Task. The user’s roles are taken from the Anonymous Authenticator API rule configuration. |
| API Key Authenticator | Authenticates a client using API keys passed as a header or query parameter. | |
| Callout Authenticator | Authenticates a client by calling out to a REST service to validate a token in the request and then authenticating the user. | |
| OAuth 2.0 Client Credentials | Authenticates users with a token in your OAuth 2.0 environment. | |
| Generic OAuth2 | Authenticates requests from users registered in an existing identity provider. | |
| JWT Validator | Authenticates a request with a token. | |
| Authorize By Role | Authorize | Authorizes a request based on the role associated with the client. If a request is not authorized, it is rejected with a 403 Forbidden error. |
| Authorized Request Validator | Validates a request after authorization and returns a customized response. | |
| Response Cache | Shape | Manages latency and response times for highly reoccurring and static responses. This can reduce the load on the upstream API as well as the proxy server. |
| Client Throttling | Limits Task invocations for a specific client during a specific time period by throttling or rejecting requests from that client. Install this API rule to help protect a Snaplex from being overloaded by too many requests. | |
| CORS Restriction | Sets the appropriate headers for requests coming from a different domain so that the response is not blocked by the browser. | |
| HTTP Retry |
Use this rule to set up retry logic for requests made to your endpoints. |
|
| IP Restriction | Restricts access based on the client IP address of the request. If the request does not meet the configured requirements, it is rejected with a 403 Forbidden error. | |
| Request Size Limit | Limits the size of each request. | |
| HTTP Redirect |
Manages HTTP redirection for API requests. |
|
| Request Transformer | Transform |
Transforms a request before it is passed onto the remaining API rules and, finally, the pipeline to be executed. |
| Response Mapper | Transforms the response body. The rule controls provide expression/target path mappings and a Pass Through option for unaffected mappings. | |
| Response Transformer |
Transforms the response headers of the API. You can use this rule to add, remove, or modify response headers. |
|
| Outbound Basic Auth | Outbound | Sets up a Basic Authentication account for verification at a proxy endpoint level when you establish a connection with a service or a system. |
| Outbound JWT Policy | Authenticates an upstream JWT token. | |
| Outbound OAuth2 | Sets specific OAuth2 parameters such as authorization URLs that are generated through access tokens with client credentials (client ID and client secret) to enforce OAuth2 authentication for upstream API calls. | |
| Outbound TLS |
Ensures that outbound endpoints are verified by TLS certificates during API processing. |