API Policy

Policies are a collection of statements that are run sequentially on the request or response of an API.
API Management provides more than 50 policies out of the box that you can configure to address
common API scenarios such as authentication, rate limiting, caching, and transformation of requests
or responses.

Popular policies include:

 Format conversion from XML to JSON

 Call rate limiting to restrict the number of incoming calls from a developer
 Filtering requests that come from certain IP addresses

Policies are applied inside the gateway between the API consumer and the managed API. While the
gateway receives requests and forwards them, unaltered, to the underlying API, a policy can apply
changes to both the inbound request and outbound response.
Understanding policy configuration
Policy definitions are simple XML documents that describe a sequence of statements to apply
to requests and responses.
API management policy reference

https://learn.microsoft.com/en-us/azure/api-management/api-management-policies?
WT.mc_id=thomasmaurer-blog-thmaure

Enforce API version header existence.

You need to enforce the requests to pass the API version information. To do this, you need to add a
Check HTTP Header policy to all operations of the BrezyWeather API that validates the X-API-Version
header of value 1.0. It would be best if you placed this within the inbound section of the policy.
Remember that you may need to use the policy code editor to configure some policies. You should
return an error code 406 with a message API version was not specified or incorrect when the
requests don't pass this header and value. Test the policy by sending a test request from the portal.

Select all operation and then apply policy (Scope).

Place the cursor next to the <base /> element inside the inbound section (1) and expand the Show
snippets drop at the top right (2).
Select http header policy.

Enter following value.

After adding header it’s passed otherwise it was failing.

Authentication and authorization
Validate client certificate.

https://learn.microsoft.com/en-us/azure/api-management/validate-client-certificate-policy
Authenticate with client certificate.
Authentication-certificate policy to authenticate with a backend service using a client
certificate. When the certificate is installed into API Management first, identify it first by its
thumbprint or certificate ID (resource name).

<authentication-certificate thumbprint="thumbprint" certificate-id="resource name"

body="certificate byte array" password="optional password"/>

Authenticate with Basic

Authentication-basic policy to authenticate with a backend service using Basic authentication.
This policy effectively sets the HTTP Authorization header to the value corresponding to the
credentials provided in the policy.