Policies Reference¶
Policies are YAML files that the gateway evaluates before a workflow run is forwarded to the orchestrator (via edge routes: /v1/api/..., /v1/webhooks/...).
Canonical technical reference (types, fields, environment variables, policy bindings, behaviour in code): Gateway flow policies.
This page stays a short flows-focused summary with examples; if anything conflicts, the engine reference wins.
Policy model¶
name: my-policy # recommended; required for gateway_policy_bindings on the trigger
type: <policy-type>
apply_to:
- "order-*" # fnmatch pattern or exact workflow name
- "billing-invoice"
apply_to_triggers:
- http # typically http at the gateway edge; see canonical doc for "*"
Evaluation runs for every policy whose apply_to and apply_to_triggers match—processing order follows policy filename (alphabetically under POLICY_DIR). There is no separate global step-by-step pipeline across policies; do not combine conflicting rules unless you separate scopes with apply_to.
Policy types (summary)¶
type |
Short description |
|---|---|
required_headers |
Mandatory HTTP headers; on_violation: reject → 400, log → log only |
oauth_inbound |
Bearer token introspection against an IdP (introspection_url, optional required_scopes) |
rate_limit_product |
Quota via identity/product model (fallback_product, etc.) |
transform |
Declarative inbound / outbound / on_error blocks—the gateway collects specs; see canonical doc for wiring transforms |
See Gateway flow policies for all fields and boundaries (e.g. /v1/run does not use flow policies, optional gateway_policy_bindings on the invocation).
Policy files¶
- Repo location:
flows/policies/*.yaml; runtime: environment variablePOLICY_DIR(default/app/flows/policies). - Cache:
POLICY_CACHE_TTL_SECONDS(default 30 seconds).
flows/policies/
├── global-headers.yaml
├── partner-oauth.yaml
├── rate-limits.yaml
└── order-transform.yaml
Examples in the repository:
flows/policies/example-require-headers.yamlflows/policies/example-oauth-inbound.yamlflows/policies/example-transform-policy.yamlflows/policies/example-rate-limit-product.yaml
Operational guidance¶
- Start in non-production and monitor rejected requests.
- Version and review policies like code.
- Use
on_violation: logduring rollout to audit without blocking. - Glob patterns use Python
fnmatch(e.g.order-*).
See also¶
- Technical (gateway): Gateway flow policies
- Gateway API / edge routes: Gateway API
- How-to: Using Policies
- Products / quotas: API Keys & Products