Tutorial: Transform and protect your API

  • Article
  • 05/23/2025

APPLIES TO: All API Management tiers

In this tutorial, you learn about configuring policies to protect or transform your API. Policies are a collection of statements that are run sequentially on the request or response of an API that modify the API's behavior.

For example, you might want to set a custom response header. Or, protect your backend API by configuring a rate limit policy, so that the API isn't overused by developers. These examples are a simple introduction to API Management policies. For more policy options, see API Management policies.

Note

By default, API Management configures a global forward-request policy. The forward-request policy is needed for the gateway to complete a request to a backend service.

In this tutorial, you learn how to:

  • Transform an API to set a custom response header
  • Protect an API by adding a rate limit policy (throttling)
  • Test the transformations

Screenshot of API Management policies in the portal.

Prerequisites

Go to your API Management instance

  1. In the Azure portal, search for and select API Management services.

    Select API Management services

  2. On the API Management services page, select your API Management instance.

    Select your API Management instance

Test the original response

To see the original response:

  1. In your API Management service instance, select APIs.
  2. Select Swagger Petstore from your API list.
  3. Select the Test tab, on the top of the screen.
  4. Select the GET Finds pets by status operation, and optionally select a different value of the status Query parameter. Select Send.

The original API response should look similar to the following response:

Screenshot of the original API response in the portal.

Transform an API to add a custom response header

API Management includes several transformation policies that you can use to modify request or response payloads, headers, or status codes. In this example, you set a custom response header in the API response.

Set the transformation policy

This section shows you how to configure a custom response header using the set-header policy. Here you use a form-based policy editor that simplifies the policy configuration.

  1. Select Swagger Petstore > Design > All operations.

  2. In the Outbound processing section, select + Add policy.

    Screenshot of navigating to outbound policy in the portal.

  3. In the Add outbound policy window, select Set headers.

    Screenshot of configuring the Set headers policy in the portal.

  4. To configure the Set headers policy, do the following:

    1. Under Name, enter Custom.
    2. Under Value, select + Add value. Enter "My custom value".
    3. Select Save.

  5. After configuration, a set-header policy element appears in the Outbound processing section.

    Screenshot of the Set headers outbound policies in the portal.

Protect an API by adding rate limit policy (throttling)

This section shows how to add protection to your backend API by configuring rate limits, so that the API isn't overused by developers. This example shows how to configure the rate-limit-by-key policy using the code editor. In this example, the limit is set to three calls per 15 seconds. After 15 seconds, a developer can retry calling the API.

Note

This policy isn't supported in the Consumption tier.

  1. Select Swagger Petstore > Design > All operations.

  2. In the Inbound processing section, select the code editor (</>) icon.

    Screenshot of navigating to inbound policy code editor in the portal.

  3. Position the cursor inside the <inbound> element on a blank line. Then, select Show snippets at the top-right corner of the screen.

    Screenshot of selecting show snippets in inbound policy editor in the portal.

  4. In the right window, under Access restriction policies, select Limit call rate per key.

    The <rate-limit-by-key /> element is added at the cursor.

    Screenshot of inserting limit call rate per key policy in the portal.

  5. Modify your <rate-limit-by-key /> code in the <inbound> element to the following code. Then select Save.

    <rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />

Test the transformations

At this point, if you look at the code in the code editor, your policies look like the following code:

<policies>
     <inbound>
         <rate-limit calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
         <base />
     </inbound>
     <outbound>
         <set-header name="Custom" exists-action="override">
             <value>"My custom value"</value>
           </set-header>
         <base />
     </outbound>
     <on-error>
         <base />
     </on-error>
 </policies>

The rest of this section tests policy transformations that you set in this article.

Test the custom response header

  1. Select Swagger Petstore > Test.

  2. Select the GET Finds pets by status operation, and optionally select a different value of the status Query parameter. Select Send.

    As you can see, the custom response header is added:

    Screenshot showing custom response header in the portal.

Test the rate limit (throttling)

  1. Select Swagger Petstore > Test.

  2. Select the GET Finds Pets by Status operation. Select Send several times in a row.

    After sending too many requests in the configured period, you get the 429 Too Many Requests response.

    Screenshot showing Too Many Requests in the response in the portal.

  3. Wait for 15 seconds or more and then select Send again. This time you should get a 200 OK response.

Summary

In this tutorial, you learned how to:

  • Transform an API to set a custom response header
  • Protect an API by adding a rate limit policy (throttling)
  • Test the transformations

Next steps

Advance to the next tutorial:

Monitor your API