webMethods.io API Gateway: Securing APIs using Payload Element


This article explains how to secure API’s using Payload Element.


It is assumed that readers of this article know how to setup API’s on API gateway.


  • In this case API is configured at API gateway “payloadIdentifier”

Use Case Description

  • Sending JSON\XML request payload
  • Request will be rejected if value doesn’t match with value configured at API gateway.


Configure Policy at API Gateway

  • Open the API
  • Navigate to Policies
  • Select Identify and Access

  • Select Identify & Authorize Application

  • Select payload element and applications as a Registered application.

  • In this case, input payload is JSON type, therefore expression type is set as jsonPath.

Configure the Payload Identifier at Application

  • Navigate to application
  • Edit the application.
  • Add Payload Identifier.

  • Set the payload Identifier, in this case value is set to 12345

Request Payload

  "Id": 12345,
              "Customer": "John Smith",
              "Quantity": 1,
              "Price": 10.00

Test from Postman Client

  • Trigger the request from postman client with json request.

Positive test Case

  • When in the payload Id value is set as ‘12345’, then request will get to next stage

Negative Test Case

  • When in the payload Id value is not set as ‘12345’, then request will get failed.

Steps for XML Request Payload

  • Similarly, we can test for xml input by setting xpath instead of json path
  • Xml Request Sample
  • In this payload identifier is set up for Login node
<?xml version="1.0" encoding="utf-8"?>

Xpath Configured at API Gateway

  • Navigate to the policies and set the xpath in the same way as done for json request payload


Configure Value at Registered Application

  • Navigate to application
  • Set the value at application level 


Test Using Postman Client


Check also:

webMethods.io API Gateway: Securing APIs using SSL Certificate