APPLIES TO: All API Management tiers
This section provides brief descriptions and links to reference articles for all API Management policies. The API Management gateways that support each policy are indicated. For detailed policy settings and examples, see the linked reference articles.
More information about policies:
Rate limiting and quotas
| Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace | 
| Limit call rate by subscription | Prevents API usage spikes by limiting call rate, on a per subscription basis. | Yes | Yes | Yes | Yes | Yes | 
| Limit call rate by key | Prevents API usage spikes by limiting call rate, on a per key basis. | Yes | Yes | No | Yes | Yes | 
| Set usage quota by subscription | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. | Yes | Yes | Yes | Yes | Yes | 
| Set usage quota by key | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. | Yes | Yes | No | Yes | Yes | 
| Limit concurrency | Prevents enclosed policies from executing by more than the specified number of requests at a time. | Yes | Yes | Yes | Yes | Yes | 
| Limit Azure OpenAI Service token usage | Prevents Azure OpenAI API usage spikes by limiting large language model tokens per calculated key. | Yes | Yes | No | Yes | Yes | 
| Limit large language model API token usage | Prevents large language model (LLM) API usage spikes by limiting LLM tokens per calculated key. | Yes | Yes | No | Yes | Yes | 
Authentication and authorization
| Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace | 
| Check HTTP header | Enforces existence and/or value of an HTTP header. | Yes | Yes | Yes | Yes | Yes | 
| Get authorization context | Gets the authorization context of a specified connection to a credential provider configured in the API Management instance. | Yes | Yes | Yes | No | No | 
| Restrict caller IPs | Filters (allows/denies) calls from specific IP addresses and/or address ranges. | Yes | Yes | Yes | Yes | Yes | 
| Validate Microsoft Entra token | Enforces existence and validity of a Microsoft Entra (formerly called Azure Active Directory) JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes | Yes | 
| Validate JWT | Enforces existence and validity of a JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes | Yes | 
| Validate client certificate | Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims. | Yes | Yes | Yes | Yes | Yes | 
| Authenticate with Basic | Authenticates with a backend service using Basic authentication. | Yes | Yes | Yes | Yes | Yes | 
| Authenticate with client certificate | Authenticates with a backend service using client certificates. | Yes | Yes | Yes | Yes | Yes | 
| Authenticate with managed identity | Authenticates with a backend service using a managed identity. | Yes | Yes | Yes | Yes | No | 
Content validation
| Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace | 
| Enforce content safety checks on LLM requests | Enforces content safety checks on LLM requests (prompts) by transmitting them to the Azure AI Content Safety service before sending to the backend LLM. | Yes | Yes | Yes | Yes | Yes | 
| Validate content | Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML. | Yes | Yes | Yes | Yes | Yes | 
| Validate GraphQL request | Validates and authorizes a request to a GraphQL API. | Yes | Yes | Yes | Yes | No | 
| Validate OData request | Validates a request to an OData API to ensure conformance with the OData specification. | Yes | Yes | Yes | Yes | Yes | 
| Validate parameters | Validates the request header, query, or path parameters against the API schema. | Yes | Yes | Yes | Yes | Yes | 
| Validate headers | Validates the response headers against the API schema. | Yes | Yes | Yes | Yes | Yes | 
| Validate status code | Validates the HTTP status codes in responses against the API schema. | Yes | Yes | Yes | Yes | Yes | 
Routing
Caching
| Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace | 
| Set request method | Allows you to change the HTTP method for a request. | Yes | Yes | Yes | Yes | Yes | 
| Set status code | Changes the HTTP status code to the specified value. | Yes | Yes | Yes | Yes | Yes | 
| Set variable | Persists a value in a named context variable for later access. | Yes | Yes | Yes | Yes | Yes | 
| Set body | Sets the message body for a request or response. | Yes | Yes | Yes | Yes | Yes | 
| Set HTTP header | Assigns a value to an existing response and/or request header or adds a new response and/or request header. | Yes | Yes | Yes | Yes | Yes | 
| Set query string parameter | Adds, replaces value of, or deletes request query string parameter. | Yes | Yes | Yes | Yes | Yes | 
| Rewrite URL | Converts a request URL from its public form to the form expected by the web service. | Yes | Yes | Yes | Yes | Yes | 
| Convert JSON to XML | Converts request or response body from JSON to XML. | Yes | Yes | Yes | Yes | Yes | 
| Convert XML to JSON | Converts request or response body from XML to JSON. | Yes | Yes | Yes | Yes | Yes | 
| Find and replace string in body | Finds a request or response substring and replaces it with a different substring. | Yes | Yes | Yes | Yes | Yes | 
| Mask URLs in content | Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. | Yes | Yes | Yes | Yes | Yes | 
| Transform XML using an XSLT | Applies an XSL transformation to XML in the request or response body. | Yes | Yes | Yes | Yes | Yes | 
| Return response | Aborts pipeline execution and returns the specified response directly to the caller. | Yes | Yes | Yes | Yes | Yes | 
| Mock response | Aborts pipeline execution and returns a mocked response directly to the caller. | Yes | Yes | Yes | Yes | Yes | 
Cross-domain
| Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace | 
| Allow cross-domain calls | Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients. | Yes | Yes | Yes | Yes | Yes | 
| CORS | Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients. | Yes | Yes | Yes | Yes | Yes | 
| JSONP | Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. | Yes | Yes | Yes | Yes | Yes | 
Integration and external communication
| Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace | 
| Send request | Sends a request to the specified URL. | Yes | Yes | Yes | Yes | Yes | 
| Send one way request | Sends a request to the specified URL without waiting for a response. | Yes | Yes | Yes | Yes | Yes | 
| Log to event hub | Sends a message in the specified format to an event hub defined by a Logger entity. | Yes | Yes | Yes | Yes | Yes | 
| Send message to Azure Service Bus (preview) | Sends a message to an Azure Service Bus queue or topic. | Yes | No | No | No | No | 
| Send request to a service (Dapr) | Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this README file. | No | No | No | Yes | No | 
| Send message to Pub/Sub topic (Dapr) | Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this README file. | No | No | No | Yes | No | 
| Trigger output binding (Dapr) | Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this README file. | No | No | No | Yes | No | 
Logging
| Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace | 
| Trace | Adds custom traces into the request tracing output in the test console, Application Insights telemetries, and resource logs. | Yes | Yes1 | Yes | Yes | Yes | 
| Emit metrics | Sends custom metrics to Application Insights at execution. | Yes | Yes | Yes | Yes | Yes | 
| Emit Azure OpenAI token metrics | Sends metrics to Application Insights for consumption of large language model tokens through Azure OpenAI service APIs. | Yes | Yes | No | Yes | Yes | 
| Emit large language model API token metrics | Sends metrics to Application Insights for consumption of large language model (LLM) tokens through LLM APIs. | Yes | Yes | No | Yes | Yes | 
1 In the V2 gateway, the trace policy currently does not add tracing output in the test console.
GraphQL resolvers
| Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace | 
| Azure SQL data source for resolver | Configures the Azure SQL request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No | No | 
| Cosmos DB data source for resolver | Configures the Cosmos DB request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No | No | 
| HTTP data source for resolver | Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | Yes | No | No | 
| Publish event to GraphQL subscription | Publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a GraphQL resolver for a related field in the schema for another operation type such as a mutation. | Yes | Yes | Yes | No | No | 
AI gateway
Policy control and flow
| Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace | 
| Control flow | Conditionally applies policy statements based on the results of the evaluation of Boolean expressions. | Yes | Yes | Yes | Yes | Yes | 
| Include fragment | Inserts a policy fragment in the policy definition. | Yes | Yes | Yes | Yes | Yes | 
| Retry | Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count. | Yes | Yes | Yes | Yes | Yes | 
| Wait | Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding. | Yes | Yes | Yes | Yes | Yes | 
Related content
For more information about working with policies, see: