SOAPMessageValidation policy
This pageapplies toApigee andApigee hybrid.
View Apigee Edge documentation.
The SOAPMessageValidation policy does the following:
- Validates any XML message against their XSD schemas
- Validates SOAP messages against a WSDL definition
- Determines well-formedness of JSON and XML messages
While the name of this policy in the UI isSOAPMessageValidation, the policy validates more than just SOAP messages. This section refers to the policy as theMessageValidation policy.
Message validation provides the following benefits:
- Immediately informs app developers that are consuming your API if their requests are non-conformant or incomplete.
- Pinpoints issues in requests, such as XML tags that are not properly closed.
- Protects backend services by blocking XML or SOAP messages with structures that might cause unpredictable behavior.
- Reduces time spent troubleshooting, searching forums, or consulting with tech support.
- Encourages developers to familiarize themselves with the XML schema WSDL definition to eliminate validation errors, making well-understood XML schemas a key component of your API documentation.
This policy is aStandard policy and can be deployed to any environment type. For information on policy types and availability with each environment type, seePolicy types.
Videos
Watch the following videos to learn more about the MessageValidation policy:
| Video | Description |
|---|---|
| Validate XML request | Validate the XML request for an API using the MessageValidation policy. |
| Validate JSON request | Validate the JSON request for an API using the MessageValidation policy. |
<MessageValidation> element
Defines the MessageValidation policy.
| Default Value | SeeDefault Policy tab, below |
| Required? | Optional |
| Type | Complex object |
| Parent Element | n/a |
| Child Elements | <DisplayName><Element><ResourceURL><SOAPMessage><Source> |
Syntax
The<MessageValidation> element uses the following syntax:
<MessageValidation continueOnError="[false|true]" enabled="[true|false]" name="policy_name"> <!-- All MessageValidation child elements are optional --> <DisplayName>policy_display_name</DisplayName> <Element namespace="element_namespace">element_to_validate</Element> <SOAPMessage version="[ 1.1 | 1.2 | 1.1/1.2 ]"/> <Source>message_to_validate</Source> <ResourceURL>validation_WSDL_or_XSD</ResourceURL></MessageValidation>
Default Policy
The following example shows the default settings when you add a MessageValidation policy to your flow in the Apigee UI:
<MessageValidation continueOnError="false" enabled="true" name="SOAP-Message-Validation-1"> <DisplayName>SOAP Message Validation-1</DisplayName> <Properties/> <Element namespace="http://sample.com">sampleObject</Element> <SOAPMessage/> <Source>request</Source> <ResourceURL>wsdl://SOAP-Message-Validation-1.wsdl</ResourceURL></MessageValidation>
This element has the following attributes that are common to all policies:
| Attribute | Default | Required? | Description |
|---|---|---|---|
name | N/A | Required | The internal name of the policy. The value of the Optionally, use the |
continueOnError | false | Optional | Set tofalse to return an error when a policy fails. This is expected behavior for most policies. Set totrue to have flow execution continue even after a policy fails. See also: |
enabled | true | Optional | Set totrue to enforce the policy. Set tofalse toturn off the policy. The policy will not be enforced even if it remains attached to a flow. |
async | false | Deprecated | This attribute is deprecated. |
Examples
The following examples show some of the ways in which you can use the MessageValidation policy:
1: XSD Validation
You can use the Message Validation policy to validate an XML message request's payload against an XSD schema.
- Create a new XSDresource file. For example,
note-schema.xsd:<xs:schemaxmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:elementname="note"><xs:complexType><xs:sequence><xs:elementname="to"type="xs:string"/><xs:elementname="from"type="xs:string"/><xs:elementname="heading"type="xs:string"/><xs:elementname="body"type="xs:string"/></xs:sequence></xs:complexType></xs:element></xs:schema>
- Add the SOAP Message Validation policy to your proxy endpoint's pre-flow:
- Specify the location of your XSD resource file with the
<ResourceURL>element. For example:... <ResourceURL>xsd://note-schema.xsd</ResourceURL>...
- Remove the
<SOAPMessage>and<Element>elements from the policy definition.
Your policy definition should look like the following:
<MessageValidation continueOnError="false" enabled="true" name="validateXMLRequest"> <DisplayName>My XML Validator</DisplayName> <Properties/> <Source>request</Source> <ResourceURL>xsd://note-schema.xsd</ResourceURL></MessageValidation>
- Specify the location of your XSD resource file with the
- Send a
POSTrequest to your API proxy with your XML as the message payload, as the following example shows:curl -v -X POST -H 'Content-Type: application/xml' http://my-test.apigee.net/v1/xsd-mock -d '<note> <to>Fred Rogers</to> <from>Nick Danger</from> <heading>Greetings from my neighborhood</heading> <body>Just writing to say hello.</body></note>'
Notice that the
Content-typeheader is set toapplication/xml.You can also create a data file for the payload and reference it with a command similar to the following:
curl-v-XPOST-H'Content-type: application/xml'http://my-test.apigee.net/v1/xsd-mock--data'@../examples/note-payload.xml'
You should receive anHTTP 200 response. Depending on your target endpoint, you might receive addditional details about the request. For example, if you usehttp://httpbin.org/post as your target endpoint and specify-v (verbose) output, the response should be similar to the following:
< HTTP/1.1 200 OK< Date: Wed, 16 May 2018 21:24:54 GMT< Content-Type: application/xml< Content-Length: 431< Connection: keep-alive< Server: gunicorn/19.8.1< Access-Control-Allow-Origin:*< Access-Control-Allow-Credentials: true< Via: 1.1 vegur{ "args":{}, "data":"<note><to>fred</to><from>nick</from><heading>hello</heading> <body>Just writing to say hello.</body></note>", "files":{}, "form":{}, "headers": { "Accept":"*/*", "Connection":"close", "Content-Length":"106", "Content-Type":"application/xml", "Host":"httpbin.org", "User-Agent":"curl/7.58.0" }, "json":null, "origin":"10.1.1.1, 104.154.179.1", "url":"http://httpbin.org/post"}
To verify that your XSD validation is working, try inserting another tag into the body of your request. For example:
curl -v -X POST -H 'Content-Type: application/xml' http://my-test.apigee.net/v1/xsd-mock -d '<note> <to>Fred Rogers</to> <from>Nick Danger</from> <heading>Greetings from my neighborhood</heading> <body>Just writing to say hello.</body><badTag>Not good</badTag></note>'
You should receive a validation error.
2: SOAP Validation
You can use the Message Validation policy to validate a SOAP message request's payload against a WSDL.
- Create a new WSDLresource file. For example, "example-wsdl.wsdl":
View Full WSDL
<?xmlversion="1.0"encoding="UTF-8"?><wsdl:definitionstargetNamespace="https://example.com/gateway"xmlns:tns="https://example.com/gateway"xmlns:types="https://example.com/gateway/types"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/"> <wsdl:types> <xsd:schemaxmlns:xsd="http://www.w3.org/2001/XMLSchema"targetNamespace="https://example.com/gateway/types"elementFormDefault="qualified"> <xsd:elementname="MyType"> <xsd:complexType> <xsd:sequence> <xsd:elementname="ID"nillable="false"minOccurs="1"maxOccurs="1"/> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:schema> <schemaattributeFormDefault="unqualified"elementFormDefault="qualified"targetNamespace="https://example.com/gateway"xmlns="http://www.w3.org/2001/XMLSchema"> <xsd:importnamespace="https://example.com/gateway/types"/> <elementname="getID"> <complexType> <sequence> <elementref="types:MyType"/> </sequence> </complexType> </element> </schema> </wsdl:types> <wsdl:messagename="getRequest"> <wsdl:partname="getRequest"element="tns:getID"/> </wsdl:message> <wsdl:messagename="getResponse"> <wsdl:partname="getResponse"element="tns:getID"/> </wsdl:message> <wsdl:portTypename="PortType"> <wsdl:operationname="get"> <wsdl:inputname="methodRequest"message="tns:getRequest"/> <wsdl:outputname="methodResponse"message="tns:getResponse"/> </wsdl:operation> </wsdl:portType> <wsdl:servicename="Gateway"> <wsdl:portname="GatewaySoap"binding="tns:SoapBinding"> <wsdlsoap:addresslocation="https://example.com/gateway"/> </wsdl:port> </wsdl:service> <wsdl:bindingname="SoapBinding"type="tns:PortType"> <wsdlsoap:bindingstyle="document"transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operationname="get"> <wsdlsoap:operationsoapAction="get"/> <wsdl:inputname="methodRequest"/> <wsdl:outputname="methodResponse"/> </wsdl:operation> </wsdl:binding></wsdl:definitions>
- Add the SOAP Message Validation policy to your proxy endpoint's pre-flow:
- Set the
<SOAPMessage>element'sversionattribute to the version of the SOAP protocol that you want to validate against. For example, "1.1":... <SOAPMessage version="1.1"/>...
- Set the value of the
<Element>element to the element that you want to validate:... <Element namespace="https://example.com/gateway">getID</Element>...
<Element>specifies the first child under the<Body>element in the SOAP request's envelope.Set the
namespaceattribute to the namespace for that child. - Specify the location of your WSDL resource file with the
<ResourceURL>element. For example:... <ResourceURL>wsdl://example-wsdl.wsdl</ResourceURL>...
Your policy definition should look like the following:
<MessageValidation continueOnError="false" enabled="true" name="validateSOAPRequest"> <DisplayName>My SOAP Validator</DisplayName> <Properties/> <Source>request</Source> <SOAPMessage version="1.1"/> <Element namespace="https://example.com/gateway">getID</Element> <ResourceURL>wsdl://example-wsdl.wsdl</ResourceURL></MessageValidation>
- Set the
- Send a
POSTrequest to your API proxy with the SOAP envelope as the message payload, as the following example shows:curl-v-XPOST-H'Content-Type:application/xml'http://my-test.apigee.net/v1/xsd-mock-d'<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:prox="https://example.com/gateway"xmlns:typ="https://example.com/gateway/types"><soapenv:Header/><soapenv:Body><prox:getID><typ:MyType><typ:ID>42</typ:ID></typ:MyType></prox:getID></soapenv:Body></soapenv:Envelope>'
Notice that the
Content-typeheader is set to "application/xml".You can also create a data file for the payload and reference it with a command similar to the following:
curl-v-XPOST-H'Content-type: application/xml'http://my-test.apigee.net/v1/xsd-mock--data'@../examples/soap-payload.xml'
You should receive anHTTP 200 response. Depending on your target endpoint, you might receive addditional details about the request. For example, if you usehttp://httpbin.org/post as your target endpoint, the response should be similar to the following:
< HTTP/1.1 200 OK< Date: Wed, 16 May 2018 21:24:54 GMT< Content-Type: application/xml< Content-Length: 431< Connection: keep-alive< Server: gunicorn/19.8.1< Access-Control-Allow-Origin:*< Access-Control-Allow-Credentials: true< Via: 1.1 vegur{ "args":{}, "data":"<note><to>fred</to><from>nick</from><heading>hello</heading> <body>Just writing to say hello.</body></note>", "files":{}, "form":{}, "headers": { "Accept":"*/*", "Connection":"close", "Content-Length":"106", "Content-Type":"application/xml", "Host":"httpbin.org", "User-Agent":"curl/7.58.0" }, "json":null, "origin":"10.1.1.1, 104.154.179.1", "url":"http://httpbin.org/post"}
3: Well-formed XML/JSON
You can use the Message Validation policy to confirm that a JSON or XML message payload is well-formed (not the same asvalidation). The policy ensures that the structure and content meets accepted standards, including:
- There is a single root element
- There are no illegal characters in the content
- Objects and tags are properly nested
- Beginning and ending tags match
To check for a well-formed XML or JSON payload:
- Add the SOAP Message Validation policy to your proxy endpoint's pre-flow.
- Remove the
<ResourceURL>,<SOAPMessage>, and<Element>elements from the policy definition.Your policy definition should look like the following:
<MessageValidation async="false" continueOnError="false" enabled="true" name="validateXMLRequest"> <DisplayName>My JSON Checker</DisplayName> <Properties/> <Source>request</Source></MessageValidation>
- Send a
POSTrequest to your API proxy, as the following example shows:curl -v -X POST -H 'Content-Type: application/json' http://my-test.apigee.net/v1/xsd-mock -d '{"note": { "to": "Fred Rogers", "from": "Nick Danger", "header": "Greetings from my neighborhood", "body": "Just writing to say hello." }}'Notice that the
Content-typeheader is set toapplication/json.To check anXML file for well-formedness, use XML as the message payload and set
Content-typetoapplication/xml.
You should receive anHTTP 200 response. When you send a message payload that does not contain well-formed XML or JSON, you should receive asteps.messagevalidation.Failed error.
Child element reference
This section describes the child elements of<MessageValidation>.
<DisplayName>
Use in addition to thename attribute to label the policy in the management UI proxy editor with a different, more natural-sounding name.
The<DisplayName> element is common to all policies.
| Default Value | N/A |
| Required? | Optional. If you omit<DisplayName>, the value of the policy'sname attribute is used. |
| Type | String |
| Parent Element | <PolicyElement> |
| Child Elements | None |
The<DisplayName> element uses the following syntax:
Syntax
<PolicyElement><DisplayName>POLICY_DISPLAY_NAME</DisplayName> ...</PolicyElement>
Example
<PolicyElement><DisplayName>My Validation Policy</DisplayName></PolicyElement>
The<DisplayName> element has no attributes or child elements.
<Element>
Specifies the element in the message to validate. This is the first child under the<Body> element in the SOAP request's envelope.
| Default Value | sampleObject |
| Required? | Optional |
| Type | String |
| Parent Element | <MessageValidation> |
| Child Elements | None |
The<Element> element uses the following syntax:
Syntax
... <Element namespace="element_namespace">element_to_validate</Element>...
Example 1
The following example defines a single element to be validated:
...<Element namespace="https://example.com/gateway">getID</Element>...
Example 2
You can specify more than one element to validate by adding multiple<Element> elements:
...<Element namespace="https://example.com/gateway">getID</Element><Element namespace="https://example.com/gateway">getDetails</Element>...
The<Element> element has the following attributes:
| Attribute | Default | Required? | Description |
|---|---|---|---|
namespace | "http://sample.com" | Optional | Defines the namespace of the element to be validated. |
<ResourceURL>
Identifies the XSD schema or WSDL definition to be used to validate the source message.
| Default Value | wsdl://display_name.wsdl |
| Required? | Optional |
| Type | String |
| Parent Element | <MessageValidation> |
| Child Elements | None |
The<ResourceURL> element uses the following syntax:
Syntax
... <ResourceURL>[wsdl|xsd]://validation_WSDL_or_XSD</ResourceURL>...
Examples
For an XML file:
...<ResourceURL>xsd://note-schema.xsd</ResourceURL>...
For a WSDL:
...<ResourceURL>wsdl://example-wsdl.wsdl</ResourceURL>...
The value of<ResourceURL> must point to aresource file in your API proxy. It cannot refer to external resources over HTTP or HTTPS.
If you do not specify a value for<ResourceURL>, the message is checked for well-formed JSON or XML if theContent-type header isapplication/json orapplication/xml, respectively.
The<ResourceURL> element has no child elements or attributes.
Using XSDs for validation
If the XML payload that you validate with the MessageValidation policy referencesanother schema, you must prefix the included XSD file withxsd in theschemaLocation attribute.
The following example schema is comprised of multiple XSDs:
<xs:schemaxmlns:xs="http://www.w3.org/2001/XMLSchema"elementFormDefault="qualified"attributeFormDefault="unqualified"><xs:includeschemaLocation="xsd://note-schema.xsd"/><xs:includeschemaLocation="xsd://letter-schema.xsd"/><xs:includeschemaLocation="xsd://user-schema.xsd"/></xs:schema>
Using WSDLs for validation
A WSDL must define at least one schema. If it does not reference at least one schema, the MessageValidation policy fails.
The maximum import depth for a schema is 10. If you exceed that number of nested imports, the MessageValidation policy fails.
<SOAPMessage>
Defines the SOAP version against which the MessageValidation policy validates.
| Default Value | n/a |
| Required? | Optional |
| Type | n/a |
| Parent Element | <MessageValidation> |
| Child Elements | None |
The<SOAPMessage> element uses the following syntax:
Syntax
... <SOAPMessage version="[ 1.1 | 1.2 | 1.1/1.2 ]"/>...
Example
...<SOAPMessage version="1.1"/>...
The<SOAPMessage> element has the following attributes:
| Attribute | Default | Required? | Description |
|---|---|---|---|
version | None | Optional | The SOAP version that this policy uses to validate SOAP messages. Valid values are:
|
For more information, seeFrom SOAP/1.1 to SOAP Version 1.2 in 9 points.
<Source>
Identifies the source message to be validated. The value of this element is the name of the message that you want to validate.
If you do not set<Source>, this policy defaults tomessage, which refers to the complete request message (in a request flow) or response message (in a response flow), including any payload. You can also explicitly set it torequest orresponse to refer to the request or response.
| Default Value | request |
| Required? | Optional |
| Type | String |
| Parent Element | <MessageValidation> |
| Child Elements | None |
The<Source> element uses the following syntax:
Syntax
... <Source>message_to_validate</Source>...
Example
...<Source>request</Source>...
In addition tomessage,request, andresponse, you can set the value of<Source> to the name of any message in your flow. If you do this, though, you must create a custom message with that name in your flow before this policy executes. Otherwise, you will get an error.
If the value of<Source> cannot be resolved in the message flow or resolves to a non-message type, then one of the following occurs:
- If a null value: Apigee throws a
steps.messagevalidation.SourceMessageNotAvailableerror. - If a non-message type: Apigee throws a
steps.messagevalidation.NonMessageVariableerror.
The<Source> element has no attributes or child elements.
Error codes
This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error. This information is important to know if you are developing fault rules to handle faults. To learn more, seeWhat you need to know about policy errors andHandling faults.
Runtime errors
These errors can occur when the policy executes.
Need help resolving an error? Clickbuildin the Fix column for detailed troubleshooting information.UseAPI Monitoring to investigate fault codes and diagnose issues faster. SeeSet up a policy fault code alert for an example. SeeFault code reference for a complete list of all fault codes that you can handle with API Monitoring.| Fault code | HTTP status | Cause | Fix |
|---|---|---|---|
steps.messagevalidation.SourceMessageNotAvailable | 500 | This error occurs if a variable specified in the
| build |
steps.messagevalidation.NonMessageVariable | 500 | This error occurs if the Message type variables represent entire HTTP requests and responses. The built-in Apigee flow variables | build |
steps.messagevalidation.Failed | 500 | This error occurs if the SOAPMessageValidation policy fails to validate the input message payload against the XSD schema or WSDL definition. It will also occur if there is malformed JSON or XML in the payload message. | build |
Deployment errors
These errors can occur when you deploy a proxy containing this policy.
Need help resolving an error? Clickbuild next to the error's cause description to visit the troubleshooting page.| Error name | Cause | Fix |
|---|---|---|
InvalidResourceType | The<ResourceURL> element in the SOAPMessageValidation policy is set to a resource type not supported by the policy. | build |
ResourceCompileFailed | The resource script referenced in the<ResourceURL> element of the SOAPMessageValidation policy contains an error that prevents it from compiling. | build |
RootElementNameUnspecified | The<Element> element in the SOAPMessageValidation policy does not contain the root element's name. | build |
InvalidRootElementName | The<Element> element in the SOAPMessageValidation policy contains a root element name that does not adhere to XML rules for valid element naming. | build |
Schemas
Each policy type is defined by an XML schema (.xsd). For reference,policy schemas are available on GitHub.
Related topics
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.