Overview
Applies a security or traffic management policy to an API and deploys it to a self-managed Flex Gateway, walking through the full process from identifying the target API to selecting a policy, configuring it, and deploying. Supports multiple starting points depending on what the user already has set up — an API Manager instance, an Exchange asset, or just an API URL.
What you'll build: A fully configured policy enforced on your API instance, deployed to a Flex Gateway
Prerequisites
Before starting, ensure you have:
-
Authentication ready
- Valid Bearer token for Anypoint Platform. If you only have username/password, call
createLogin(POST /accounts/login) from theurn:api:access-managementAPI with body{"username":"...","password":"..."}to obtain a Bearer token first. - API Manager permissions: View APIs Configuration and Manage Policies scopes
- Valid Bearer token for Anypoint Platform. If you only have username/password, call
-
Organization Id
- Call
listMe(GET /accounts/api/me) fromurn:api:access-managementto get your organization ID - Extract
organizationIdfrom$.user.organization.idin the response - This is used to list environments, browse the policy catalog, check Exchange, etc.
- Call
-
One of the following
- An API instance already in API Manager (skip to Step 6)
- An Exchange asset ready to be promoted to API Manager (skip to Step 2)
- An API specification or URL that needs to be published first (start at Step 1)
Step 1: Publish API to Exchange
Publishes your API specification to Exchange as a reusable asset. This makes it available for API Manager to create managed instances from it.
$ curl -X POST ${baseUrl}/assets \
-H "Authorization: Bearer ${authToken}" \
-H "Content-Type: application/json"Captured Variables
groupId
$.groupId
assetId
$.assetId
assetVersion
$.version
What happens next: Your API specification is now available in Exchange. Next, you'll create an API Manager instance from this asset so you can apply policies to it.
Step 2: List Environments
List all environments in the organization so you can confirm or select the one where your API instance lives.
$ curl -X GET ${baseUrl}/organizations/{organizationId}/environments \
-H "Authorization: Bearer ${authToken}" \
-H "Content-Type: application/json"Captured Variables
environmentId
$.data[*].id
What happens next: With the environment selected, you can create an API instance or browse policies.
Step 3: Select Deployment Target
List available gateway targets registered in the environment. You need the target ID and gateway version before creating the API instance, because the deployment configuration is set via a PATCH after creation.
$ curl -X GET ${baseUrl}/apimanager/xapi/v1/organizations/{organizationId}/environments/{environmentId}/gateway-targets \
-H "Authorization: Bearer ${authToken}" \
-H "Content-Type: application/json"Captured Variables
targetId
$.rows[*].id
targetName
$.rows[*].name
gatewayVersion
What happens next: You have a deployment target and its gateway version. Next, create the API instance and then configure its deployment target.
Step 4: Create API Manager Instance
Creates a managed API instance in API Manager from your Exchange asset. This creates the API configuration; deployment to the Flex Gateway happens in Step 5.
Important: For Flex Gateway instances, isCloudHub must be null (not false). Setting it to false causes a validation error.
$ curl -X POST ${baseUrl}/organizations/{organizationId}/environments/{environmentId}/apis \
-H "Authorization: Bearer ${authToken}" \
-H "Content-Type: application/json"Captured Variables
environmentApiId
$.id
What happens next: The API instance exists but is not yet deployed. Next, deploy it to the Flex Gateway target selected in Step 3.
Step 5: Deploy to Flex Gateway
Deploys the API instance to the selected Flex Gateway target. This uses the Proxies API deployment endpoint with flat top-level fields — do not use the nested target object, which requires additional fields that are not needed for self-managed Flex Gateway deployments.
$ curl -X POST ${baseUrl}/organizations/{organizationId}/environments/{environmentId}/apis/{environmentApiId}/deployments \
-H "Authorization: Bearer ${authToken}" \
-H "Content-Type: application/json"Captured Variables
deploymentId
$.id
Request body structure: Use flat top-level fields, not the nested target object:
{
"type": "HY",
"targetId": "<from Step 3>",
"targetName": "<from Step 3>",
"gatewayVersion": "1.0.0",
"environmentId": "<from Step 2>",
"overwrite": false
}
What happens next: The API instance is now deployed to the Flex Gateway. Next, browse the policy catalog to select which policy to apply.
Common issues:
"Field environmentId is required for deployment type HY": TheenvironmentIdmust be in the request body, not just the URL path parameter."Field gatewayVersion is required for deployment type HY": Use the version from thegetGatewayTargetsresponse (Step 3). Using an incorrect version causes policy implementation errors."Policy implementations cannot be set because runtime version is unknown": ThegatewayVersionvalue doesn't match a known Flex Gateway version. Verify the version from the target's actual runtime version in Step 3.- 409 Conflict: The API may already be deployed to this target. List existing deployments with
GET .../deploymentsfirst to check.
Step 6: Browse Exchange Policy Catalog
List all available policy templates from Exchange for your organization. This endpoint returns the full Exchange coordinates (groupId, assetId, assetVersion) and gateway-compatible configuration for each template — these are required when applying a policy.
Important: Use the api-portal-xapi endpoint (getExchangePolicyTemplates) instead of the generic listOrganizationsPolicytemplates endpoint. The generic endpoint does not return Exchange coordinates or gateway-specific configuration property names, which are required for the apply step.
$ curl -X GET ${baseUrl}/apimanager/xapi/v1/organizations/{organizationId}/exchange-policy-templates?apiInstanceId=${environmentApiId}&environmentId=${environmentId}&latest=true&includeConfiguration=true \
-H "Authorization: Bearer ${authToken}" \
-H "Content-Type: application/json"Captured Variables
policyGroupId
$[*].groupId
policyAssetId
$[*].assetId
policyAssetVersion
$[*].version
policyConfiguration
$[*].configuration
What happens next: You have the policy template's Exchange coordinates and its configuration schema with the correct property names for your gateway type. Review the policyConfiguration output to understand what settings the policy accepts before applying it.
Common issues:
- Empty list: Pass
apiInstanceIdandenvironmentIdto get templates compatible with your gateway type. Without these filters, some templates may not appear. - Wrong config property names: Always use the configuration from this endpoint — the generic
listOrganizationsPolicytemplatesendpoint may return different (non-gateway-compatible) property names and defaults.
Step 7: Apply Policy to API Instance
Apply the selected policy to your API instance with the appropriate configuration. Use the Exchange coordinates and configuration property names from Step 6.
$ curl -X POST ${baseUrl}/organizations/{organizationId}/environments/{environmentId}/apis/{environmentApiId}/policies \
-H "Authorization: Bearer ${authToken}" \
-H "Content-Type: application/json"Captured Variables
policyId
$.id
What happens next: Your API is now protected with the selected policy. Since the API instance was configured with deployment information in Step 5, the policy is active and enforcing on the Flex Gateway.
Common issues:
- 400 Bad Request — missing groupId/assetId/assetVersion: The apply endpoint requires full Exchange coordinates, not just a template ID. Make sure you used
getExchangePolicyTemplates(Step 6) to get these values. - 400 Bad Request — invalid configurationData: The configuration property names differ between gateway types. Use the property names from Step 6's
policyConfigurationoutput, not from the generic template endpoint. For example, Flex Gateway usescredentialsOriginHasHttpBasicAuthenticationHeaderwhile the generic template usescredentialsOrigin. - 409 Conflict: A policy of this type may already be applied to the API instance. List existing policies first to check, or add
?allowDuplicated=trueto the request URL to apply a second instance of the same policy type. - 403 Forbidden: You need Manage Policies permission in the target environment.
Completion Checklist
After completing all steps, verify:
- [ ] API instance is bound to the Flex Gateway target (deployment info visible in API Manager)
- [ ] Policy appears in the API instance's policy list
- [ ] Policy status shows as "Active"
- [ ] API requests are being evaluated against the policy rules
- [ ] Policy configuration matches your requirements
What You've Built
Your API is now protected with:
✅ Policy enforcement
- Selected policy is active on your API instance
- All incoming traffic is evaluated against policy rules
✅ Bound to Flex Gateway
- API instance is created with deployment configuration targeting a self-managed Flex Gateway
- The Flex Gateway picks up the configuration automatically
✅ Managed configuration
- Policy settings are version-controlled in API Manager
- Configuration can be updated without redeploying the API
Next Steps
-
Test the policy
- Send test requests to verify the policy is enforcing correctly
- Check that authorized requests pass and unauthorized ones are blocked
-
Add more policies
- Run this skill again to layer additional policies (e.g., rate limiting + OAuth2)
- Policy ordering matters — adjust priority in API Manager if needed
-
Monitor policy activity
- Check API Manager analytics for policy enforcement metrics
- Set up alerts for unusual rejection patterns
Tips and Best Practices
Policy Selection
- Rate Limiting: Use when you need to control traffic volume per client
- OAuth 2.0: Use for token-based authentication and authorization
- IP Allowlist/Blocklist: Use to restrict access by network origin
- Client ID Enforcement: Use to require registered client applications
Policy Ordering
- Authentication policies should be applied first (lowest order number)
- Rate limiting should come after authentication
- Transformation policies should be last
Gateway Compatibility
- Always use
getExchangePolicyTemplateswithapiInstanceIdto get gateway-compatible templates - Configuration property names and defaults vary by gateway type (Flex Gateway vs. Mule Gateway)
- The Exchange template version may differ from the generic template version
Troubleshooting
Policy Not Enforcing
Symptoms: Requests pass through without policy evaluation
Possible causes:
- API instance is not deployed or is in an error state
- Policy configuration has a permissive default that allows all traffic
- Policy is applied but not yet propagated (wait 1-2 minutes)
Solutions:
- Check API instance status in API Manager
- Review policy configuration for overly permissive settings
- Wait for propagation and retry
Policy Blocks All Requests
Symptoms: All requests return 401 or 403, even legitimate ones
Possible causes:
- Policy configuration is too restrictive
- Required credentials are not being sent correctly
- Policy expects headers or parameters in a specific format
Solutions:
- Review the policy configuration schema for required fields
- Check that client applications are sending credentials in the expected format
- Temporarily disable the policy to isolate the issue
400 Error When Applying Policy
Symptoms: "The policy to be created is missing at least one of the following properties related to the policy template: 'groupId', 'assetId', 'assetVersion'."
Possible causes:
- Used the generic
listOrganizationsPolicytemplatesendpoint which does not return Exchange coordinates
Solutions:
- Use
getExchangePolicyTemplatesfromapi-portal-xapiinstead — this returns the full Exchange coordinates needed by the apply endpoint