Policy reference overview
This pageapplies toApigee andApigee hybrid.
View Apigee Edge documentation.
Apigee's policies augment your APIs to control traffic, enhance performance, enforce security, and increase the utility of your APIs, without requiring you to write code or modify backend services.
In addition, Apigee provides extension policies that let you implement custom logic in the form of JavaScript, Python, Java, and XSLT stylesheets.
Policy categories and types
A policy'scategory indicates the functional area (for example, security or mediation) for the policy. Policies are shown sorted by category below.
The policy type refers to how the policy can be used in Apigee:
- Standard policies are suitable for internal development and lightweight API solutions. Standard policies can be used with anyenvironment type. To see the list of standard policies, seeStandard policies by category.
- Extensible policies provide more functionality than standard policies, including for traffic management, mediation, and security. The extensible policies also include policies to implement custom logic in the form of JavaScript, Python, Java, and XSLT stylesheets.
Extensible policies can be used with intermediate and comprehensive environment types only. Using an extensible policy automatically converts that proxy to anExtensible proxy, which could have cost and other implications. Check thePay-as-you-go entitlements andSubscription 2024 for information.
To see the list of extensible policies, seeExtensible policies by category.
ForPay-as-you-go users, the types of policies you can use in a proxy depend on theenvironment types you plan to deploy that proxy to. SeePay-as-you-go for more information.
If there are two policies, one standard and one extensible, that would both perform the functions you need, use the standard policy.
Standard policies by category
Following are the categories for the standard policies:
| Traffic management policies | Mediation policies | Security policies | Extension policies |
|---|---|---|---|
Let you control quotas and mitigate the effects of API traffic spikes. | Let you perform message transformation, parsing, and validation, as well as raise faults and alerts. | Let you apply security-related policies. | Let you define custom policy functionality, such as service callout and message data collection. |
Extensible policies by category
Following are the extensible policies, by category. Proxies with extensible policies can only be deployed to intermediate and comprehensive environments. Extensible policies are indicated in the user interface with this icon:
.
| Traffic management policies | Mediation policies | Security policies | Extension policies | AI policies |
|---|---|---|---|---|
Let you configure caching, control quotas, mitigate the effects of spikes, and perform other functions related to your API traffic. | Let you perform message transformation, parsing, and validation, as well as raise faults and alerts. | Let you control access to your APIs with OAuth, API key validation, and other threat protection features.
| Let you define custom policy functionality, such as service callout, message data collection, and calling Java, JavaScript, and Python scripts. | Let you optimize and secure the performance of AI workloads and models. |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.