Contact Us 1-800-596-4880

Schema Validation Policy

Policy Name

Schema Validation Policy


Validates incoming traffic against a supplied API schema



First Flex Gateway version available


Returned Status Codes

400 - The request properties do not comply with the API specifications.


The Schema Validation policy only supports REST APIs and currently only supports OpenAPI Specification 3.0 (OAS3) schema validations.
The Schema Validation policy supports a maximum of 64 bits for the number schema data type.

Applications processing REST API requests are susceptible to attacks such as header injection and payload injection. Additional vulnerabilities can lead to the access of sensitive information. The Schema Validation policy protects against such attacks and vulnerabilities by validating traffic against a supplied API specification.

There are many ways to upload REST API specifications, but using Exchange is the easiest way. To upload an API specification to Exchange, see Create an Exchange Asset.

Flex Gateway supports schemas defined in JSON or YAML, contained in a single file.

The Schema Validation policy validates request headers, queries, or path parameters.

Requests only include support for JSON format with content type application/json.

You configure the policy to perform one of the following actions:

  • Block the request, and then return the 400 error status code.

  • Allow the request, log the error, and then return the status code of the request.

You can validate content against:

  • The presence of all required properties.

  • The presence or absence of additional properties.

  • The types of all properties.

    For example, if a schema specifies a property as an integer, the request must include an integer and not another type, such as a string.

  • The format of the properties.

    For example, if the pattern keyword is specified, the policy validates the property as a regular expression.

Configuring Policy Parameters

Flex Gateway Local Mode

In Local Mode, you apply the Schema Validation policy to your API via declarative configuration files. Refer to the following policy definition and table of parameters:

- policyRef:
    name: spec-validation-flex
    source: <string> // REQUIRED
    spec: <string> // REQUIRED
    apiBasePath: <string> // OPTIONAL
    blockOperation: <boolean> // REQUIRED
    strictParamsValidation: <boolean> // OPTIONAL
Parameter Required or Optional Default Value Description




Determines if the schema is specified in this YAML resource, or if it’s specified in the API Context from Exchange (Connected Mode only). Supported values: inline or context. You must specify inline when configuring the policy in Local Mode.




The actual inline specification. You must provide this when configuring the policy in Local Mode.




The base path of the API. You must provide this value when configuring the policy in Local Mode.




If true, the policy blocks an invalid spec validation. If false, the policy only logs an error.




Determines whether to validate query parameters not defined in specification.

Resource Configuration Example

- policyRef:
    name: spec-validation-flex
    source: "inline"
    apiBasePath: "/"
    blockOperation: true
    strictParamsValidation: false
    spec: |
        "openapi": "3.0.2",

Flex Gateway Connected Mode

When you apply the Schema Validation policy to your API from the UI, the following parameters are displayed:

Field Description Default Required

Block request

Select to block an incoming request that does not conform to the API specification. Selecting not to block only logs the the request. Choosing to block invalid requests returns a 400 status when the request is invalid.

Block enabled


Strict query parameters validation

Restricts API calls from query parameters not defined in the API Specification



Advanced options

Policy version

Version of the applied policy



Rule of application

Configures the runtimes the policy is applied to. Schema Validation is currently only available for Flex Gateway. Applying the policy to all runtimes only applies the policy to Flex Gateway APIs.

All runtimes