GraphQL Schema Validation Policy

Policy Name

GraphQL Schema Validation

Summary

Validates incoming GraphQL operations against a GraphQL schema definition

Category

Security

First Omni Gateway version available

v1.13.0

Returned status codes

400 - The operation doesn’t satisfy the schema. When Block request is enabled, the JSON response includes GraphQL-style errors with a validation message.

Summary

The GraphQL Schema Validation policy applies standard GraphQL validation rules, including field and argument correctness, fragments, directives, unions, interfaces, and other specification rules.

The policy loads the schema in these ways:

If source is context, Flex Gateway automatically loads the schema file from the API asset in Anypoint Exchange.
If source is inline, provide the schema text directly in the policy configuration. This is required for local mode or environments not connected to Exchange.

If the document includes an @link to the Apollo Federation specification URL, Omni Gateway uses this schema to validate all incoming requests.

After Omni Gateway extracts inline GraphQL operation text from the request, the policy runs validation. If Omni Gateway can’t resolve normal operation text, such as persisted query flows, it skips these checks and logs a warning before it forwards the request to the upstream.

Configuring Policy Parameters

Omni Gateway Local Mode

When you apply the policy via declarative configuration files, Refer to the following policy definition and table of parameters:

- policyRef:
    name: graphql-schema-validation-flex
  config:
    source: <string> // OPTIONAL, default: context; values: "context" or "inline"
    schema: <string> // REQUIRED when source is inline; omit when source is context
    blockOperation: <boolean> // OPTIONAL, default: true

Parameter Required Default Value Description

Parameter	Required	Default Value	Description
`source`	No	`context`	Where Omni Gateway retrieves the schema for validation. If set to `context`, Omni Gateway automatically loads the schema file from the API asset in Anypoint Exchange. If set to `inline`, provide the schema text directly in the policy configuration. This is required for local mode or environments not connected to Exchange.
`schema`	No	NA	The schema text used for validation. Required when `source` is set to `inline`.
`blockOperation`	No	`true`	How Omni Gateway handles requests that fail validation. If `true`, Omni Gateway blocks the request and returns a `400` Bad Request. If `false`, Omni Gateway logs a warning and forwards the request to your backend.

source

context

Where Omni Gateway retrieves the schema for validation. If set to context, Omni Gateway automatically loads the schema file from the API asset in Anypoint Exchange. If set to inline, provide the schema text directly in the policy configuration. This is required for local mode or environments not connected to Exchange.

schema

The schema text used for validation. Required when source is set to inline.

blockOperation

true

How Omni Gateway handles requests that fail validation. If true, Omni Gateway blocks the request and returns a 400 Bad Request. If false, Omni Gateway logs a warning and forwards the request to your backend.

Resource Configuration Example

This example validates against a minimal inline schema:

- policyRef:
    name: graphql-schema-validation-flex
  config:
    source: inline
    blockOperation: true
    schema: |
      type Query {
        hello: String
      }

Managed Omni Gateway and Omni Gateway Connected Mode

When you apply the policy from the UI, the following parameters are displayed:

Field Description Default Value Required

Field	Description	Default Value	Required
Block request	If enabled and the operation doesn’t conform to the schema, Omni Gateway returns a `400` error. If disabled, Omni Gateway logs a warning and forwards the request.	Enabled	Yes

Block request

If enabled and the operation doesn’t conform to the schema, Omni Gateway returns a 400 error. If disabled, Omni Gateway logs a warning and forwards the request.

Enabled

Yes