Apigee provides a range of out-of-the-box policy capabilities that address common API management requirements. However, there are some cases where your API requires custom behavior that is not covered by Apigee's standard policy palette. In these cases, Apigee exposes scripting interfaces to ease the task of implementing custom behaviors in the proxied API message flow. One approach is to attach your own Python script to an API flow, which the API Platform then executes at runtime.

A Python policy contains no actual code. Instead, a Python policy references a Python 'resource' and defines the Step in the API flow where the Python script executes. You can upload your script through the Management UI proxy editor, or you can include it in the /resources/py directory in API proxies that you develop locally.

System calls, for example network I/O, filesystem read/writes, current user info, process list, and CPU/memory utilization are not permitted by the security model. Although some such calls may be functional, they are unsupported and liable to be actively disabled at any time. For forward compatibility, you should avoid making such calls in your Python scripts.

For working sample Python scripts, see Samples reference.

Configuring a Python Script policy

Configure the Python Script policy using the following elements.

The name attribute for this policy is restricted to these characters: A-Z0-9._\-$ %. However, the Management UI enforces additional restrictions, such as automatically removing characters that are not alphanumeric.

Field Name Description
ResourceURL Specifies the name of the Python script stored in the API proxy under /resources/py. Note: the filename must match exactly or an InternalClassification error will be thrown at runtime.
IncludeURL (Optional) You can include zero or more of these elements. Each elemnt should specify a single Python script in the same form as the ResourceURL element. Scripts are evaluated in the order in which they appear in the policy.

Example - Python Script policy

In the example below, the element, ResourceURL specifies the relevant Python script resource.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Script name="Python-1">

Example - Python Script

This shows what you might include in the python script itself.

import base64

username = flow.getVariable("request.formparam.client_id")
password = flow.getVariable("request.formparam.client_secret")

base64string = base64.encodestring('%s:%s' % (username, password))[:-1]
authorization = "Basic "+base64string


Policy schema

Each policy must conform to a policy schema. All policy constructs such as elements and attributes mentioned above are defined in a schema. To download the schema, click here.

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)