Using Policies¶
Policies are evaluated by the Gateway before a request is forwarded to the Orchestrator. They let you enforce requirements (headers, OAuth token validation), apply throttling, and attach transformations.
Full reference (all policy types, YAML fields, environment, policy bindings): Gateway flow policies.
Policy Location¶
Store policy files in flows/policies/ and deploy them with your flows.
Policy Model (Quick Reference)¶
name: example
type: required_headers # required_headers | oauth_inbound | rate_limit | rate_limit_product | transform
apply_to: ["order-*"] # glob patterns against workflow name
apply_to_triggers: ["http"] # http | schedule | rabbitmq | "*"
on_violation: reject # reject | log
Examples¶
1. Require headers¶
name: require-tenant-headers
type: required_headers
apply_to: ["*"]
apply_to_triggers: ["http"]
headers:
- X-Domain
- X-Service
- X-Action
- X-Version
on_violation: log
2. OAuth token introspection (external IdP)¶
name: oauth-inbound-partner
type: oauth_inbound
apply_to: ["partner-*"]
apply_to_triggers: ["http"]
introspection_url: "https://idp.example.com/oauth/introspect"
client_id: "$secret:idp-client-id"
client_secret: "$secret:idp-client-secret"
required_scopes:
- read:api
cache_ttl_seconds: 60
on_violation: reject
3. Throttling by product (identity service)¶
name: rate-limit-products
type: rate_limit_product
apply_to: ["*"]
apply_to_triggers: ["http"]
fallback_product: "free-tier"
on_violation: reject
4. Transform request/response payloads¶
name: transform-orders
type: transform
apply_to: ["order-*"]
apply_to_triggers: ["http"]
inbound:
template_file: "normalize-order-inbound.liquid"
outbound:
xslt_file: "format-order-response.xslt"
on_error:
template_file: "error-envelope.liquid"
Notes¶
- Policy examples are available under
flows/policies/. - Authentication for JWT/API key happens at the Edge Route level (see Gateway Hardening). OAuth introspection
for external IdPs is handled by the
oauth_inboundpolicy. - HMAC and Basic auth are not supported on the gateway today.
Rollout Pattern¶
- Add policy in Git.
- Validate in non-production.
- Observe rejects and trace outcomes.
- Promote to production.