Script Policy

General Information

Policy Type

policy-script

UI Documentation

📖 For detailed information: [UI Documentation Link - Link will be added here]

Description

Script policy allows you to execute custom scripts (Groovy or JavaScript) during request/response processing. Scripts can modify requests, responses, set variables, call external services, and perform custom business logic.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header Value
Authorization Bearer {token}

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-script",
            "name": "script-policy",
            "description": "Custom script policy",
            "active": true,
            "executionType": "SYNC",
            "scriptLanguage": "GROOVY",
            "scriptBody": "def messageContext = messageContext;\ndef request = messageContext.getRequest();\nrequest.setHeader('X-Custom-Header', 'CustomValue');"
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header Value
Authorization Bearer {token}
Content-Type application/json

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name
policyName string Yes Policy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-script",
    "description": "Add custom header to request",
    "active": true,
    "executionType": "SYNC",
    "scriptLanguage": "GROOVY",
    "scriptBody": "def messageContext = messageContext;\ndef request = messageContext.getRequest();\nrequest.setHeader('X-Custom-Header', 'CustomValue');\nrequest.setHeader('X-Request-Time', String.valueOf(System.currentTimeMillis()));"
  }
}
Request Body Fields
operationMetadata
Field Type Required Default Description
targetScope string Yes - Policy scope: ALL or ENDPOINT
targetEndpoint string No* - Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethod string No* - HTTP method (required if targetScope=ENDPOINT)
targetPipeline string Yes - Pipeline: REQUEST, RESPONSE, or ERROR
deploy boolean No true Whether to deploy after adding policy
deployTargetEnvironmentNameList array No [] List of environment names to deploy to
order integer No null Policy execution order (starts from 1)

Enum: targetScope

  • ALL - Policy applies to all endpoints
  • ENDPOINT - Policy applies only to specified endpoint

Enum: targetPipeline

  • REQUEST - Executes in request pipeline
  • RESPONSE - Executes in response pipeline
  • ERROR - Executes in error pipeline

Enum: targetEndpointHTTPMethod

  • GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
policy
Field Type Required Default Description
type string Yes - Policy type: policy-script
description string No - Policy description
active boolean No true Whether policy is active
executionType string Yes - Execution type: SYNC or ASYNC
scriptLanguage string Yes - Script language: GROOVY or JAVASCRIPT
scriptBody string Yes - Script code to execute

Enum: executionType

  • SYNC - Synchronous execution (blocks request/response until script completes)
  • ASYNC - Asynchronous execution (non-blocking, script runs in background)

EnumScriptType (scriptLanguage)

  • GROOVY - Groovy scripting language
  • JAVASCRIPT - JavaScript (Nashorn engine)

Script Context Variables

The script has access to the following variables:

  • messageContext - Message context object (request/response)
  • request - HTTP request object (available in REQUEST pipeline)
  • response - HTTP response object (available in RESPONSE/ERROR pipeline)
  • variables - Variable map for storing/retrieving values
  • logger - Logger for script logging

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/script-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-script",
      "description": "Add custom header to request",
      "active": true,
      "executionType": "SYNC",
      "scriptLanguage": "GROOVY",
      "scriptBody": "def messageContext = messageContext;\ndef request = messageContext.getRequest();\nrequest.setHeader(\"X-Custom-Header\", \"CustomValue\");"
    }
  }'

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header Value
Authorization Bearer {token}
Content-Type application/json

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name
policyName string Yes Policy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-script",
    "description": "Updated script - Add timestamp header",
    "active": true,
    "executionType": "SYNC",
    "scriptLanguage": "GROOVY",
    "scriptBody": "def messageContext = messageContext;\ndef request = messageContext.getRequest();\nrequest.setHeader('X-Request-Time', String.valueOf(System.currentTimeMillis()));\nrequest.setHeader('X-Request-ID', UUID.randomUUID().toString());"
  }
}

Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X PUT \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/script-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-script",
      "description": "Updated script - Add timestamp header",
      "active": true,
      "executionType": "SYNC",
      "scriptLanguage": "GROOVY",
      "scriptBody": "def messageContext = messageContext;\ndef request = messageContext.getRequest();\nrequest.setHeader(\"X-Request-Time\", String.valueOf(System.currentTimeMillis()));"
    }
  }'

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header Value
Authorization Bearer {token}
Content-Type application/json

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name
policyName string Yes Policy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false
  }
}
Request Body Fields
operationMetadata
Field Type Required Description  
targetScope string Yes Policy scope: ALL or ENDPOINT  
targetPipeline string Yes Pipeline: REQUEST, RESPONSE, or ERROR  
deploy boolean No false Whether to deploy after deletion

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

cURL Example

curl -X DELETE \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/script-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": false
    }
  }'

Notes and Warnings

  • Script Execution:
    • SYNC - Script executes synchronously and blocks request/response processing
    • ASYNC - Script executes asynchronously and does not block processing
  • Script Languages:
    • GROOVY - Full Groovy support with access to Java APIs
    • JAVASCRIPT - JavaScript (Nashorn engine) with limited Java API access
  • Script Context: Scripts have access to:
    • messageContext - Message context (request/response)
    • request - HTTP request object (REQUEST pipeline)
    • response - HTTP response object (RESPONSE/ERROR pipeline)
    • variables - Variable map for data storage
    • logger - Logger for script logging
  • Performance:
    • Synchronous scripts block request/response processing
    • Keep scripts simple and fast for better performance
    • Use asynchronous scripts for non-critical operations
  • Error Handling: Script errors can break request/response processing. Test scripts thoroughly.
  • Security: Scripts have full access to request/response data. Validate and sanitize inputs.
  • Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.