Policy reference overview

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

Apigee's policies augment your APIs to control traffic, enhance performance, enforce security, and increase the utility of your APIs, without requiring you to write code or modify backend services.

In addition, Apigee provides extension policies that let you implement custom logic in the form of JavaScript, Python, Java, and XSLT stylesheets.

Policy categories and types

A policy's category indicates the functional area (for example, security or mediation) for the policy. Policies are shown sorted by category below.

Policy types are applicable to Pay-as-you-go users and Subscription 2024 users. Subscription users on Subscription 2021 plans will not see policy type distinctions in the Apigee UI and can use policies independent of the policy type.

The policy type refers to how the policy can be used in Apigee:

  • Standard policies are suitable for internal development and lightweight API solutions. Standard policies can be used with any environment type. To see the list of standard policies, see Standard policies by category.
  • Extensible policies provide more functionality than standard policies, including for traffic management, mediation, and security. The extensible policies also include policies to implement custom logic in the form of JavaScript, Python, Java, and XSLT stylesheets.

    Extensible policies can be used with intermediate and comprehensive environment types only. Using an extensible policy automatically converts that proxy to an Extensible proxy, which could have cost and other implications. Check the Pay-as-you-go entitlements and Subscription 2024 for information.

    To see the list of extensible policies, see Extensible policies by category.

For Pay-as-you-go users, the types of policies you can use in a proxy depend on the environment types you plan to deploy that proxy to. See Pay-as-you-go for more information.

If there are two policies, one standard and one extensible, that would both perform the functions you need, use the standard policy.

Standard policies by category

Following are the categories for the standard policies:

Traffic management policies Mediation policies Security policies Extension policies

Let you control quotas and mitigate the effects of API traffic spikes.

Let you perform message transformation, parsing, and validation, as well as raise faults and alerts.

Let you apply security-related policies.

Let you define custom policy functionality, such as service callout and message data collection.

Extensible policies by category

Following are the extensible policies, by category. Proxies with extensible policies can only be deployed to intermediate and comprehensive environments. Extensible policies are indicated in the user interface with this icon: extensible policy icon.

Traffic management policies Mediation policies Security policies Extension policies

Let you configure caching, control quotas, mitigate the effects of spikes, and perform other functions related to your API traffic.

Let you perform message transformation, parsing, and validation, as well as raise faults and alerts.

Let you control access to your APIs with OAuth, API key validation, and other threat protection features.

Let you define custom policy functionality, such as service callout, message data collection, and calling Java, JavaScript, and Python scripts.