Skip to content

Using Policies

Policies are evaluated by the Gateway before a request is forwarded to the Orchestrator. They let you enforce requirements (headers, OAuth token validation), apply throttling, and attach transformations.

Full reference (all policy types, YAML fields, environment, policy bindings): Gateway flow policies.

Policy Location

Store policy files in flows/policies/ and deploy them with your flows.

Policy Model (Quick Reference)

name: example
type: required_headers         # required_headers | oauth_inbound | rate_limit | rate_limit_product | transform
apply_to: ["order-*"]           # glob patterns against workflow name
apply_to_triggers: ["http"]     # http | schedule | rabbitmq | "*"
on_violation: reject            # reject | log

Examples

1. Require headers

name: require-tenant-headers
type: required_headers
apply_to: ["*"]
apply_to_triggers: ["http"]
headers:
  - X-Domain
  - X-Service
  - X-Action
  - X-Version
on_violation: log

2. OAuth token introspection (external IdP)

name: oauth-inbound-partner
type: oauth_inbound
apply_to: ["partner-*"]
apply_to_triggers: ["http"]
introspection_url: "https://idp.example.com/oauth/introspect"
client_id: "$secret:idp-client-id"
client_secret: "$secret:idp-client-secret"
required_scopes:
  - read:api
cache_ttl_seconds: 60
on_violation: reject

3. Throttling by product (identity service)

name: rate-limit-products
type: rate_limit_product
apply_to: ["*"]
apply_to_triggers: ["http"]
fallback_product: "free-tier"
on_violation: reject

4. Transform request/response payloads

name: transform-orders
type: transform
apply_to: ["order-*"]
apply_to_triggers: ["http"]
inbound:
  template_file: "normalize-order-inbound.liquid"
outbound:
  xslt_file: "format-order-response.xslt"
on_error:
  template_file: "error-envelope.liquid"

Notes

  • Policy examples are available under flows/policies/.
  • Authentication for JWT/API key happens at the Edge Route level (see Gateway Hardening). OAuth introspection for external IdPs is handled by the oauth_inbound policy.
  • HMAC and Basic auth are not supported on the gateway today.

Rollout Pattern

  1. Add policy in Git.
  2. Validate in non-production.
  3. Observe rejects and trace outcomes.
  4. Promote to production.