The following table identifies the attributes that are associated with a policy request that the Sideband API generates.

Attribute Description Type

Identifies the request-processing phase and the HTTP method, such as GET or POST.

The value is formatted as <phase>-<method>. Example values include inbound-GET, inbound-POST, outbound-GET, and outbound-POST.


Additional attributes that do not correspond to a specific entity type in the Trust Framework.

For more information, see the next table.

domain Unused. String
identityProvider Name of the Access Token Validator that evaluates the bearer token in an incoming request. String

Identifies the API service. By default, this value is set to the name of the Sideband API Endpoint.

To override the default value, set the Sideband API Endpoint's service property.

Multiple Sideband API Endpoints can use the same service value.


The following table identifies the additional attributes that are included in attributes.

Attribute Description Type
Gateway Additional gateway-specific information about the request not provided by the following attributes. Object

Parsed access token.

For more information, see the following table.

HttpRequest.ClientCertificate Properties of the client certificate, if one was used. Object
HttpRequest.CorrelationId A unique value that identifies the request and response, if available. String
HttpRequest.IPAddress The client IP address. String
HttpRequest.QueryParameters Request URI query parameters. Object
HttpRequest.RequestBody The request body, if available. Object
HttpRequest.RequestHeaders The HTTP request headers. Object
HttpRequest.RequestURI The request URI. String
HttpRequest.ResourcePath Portion of the request URI path that follows the inbound base path that the Sideband API Endpoint defines. String
HttpRequest.ResponseBody The response body, if available. This attribute is provided only for outbound policy requests. Object
HttpRequest.ResponseHeaders The HTTP response headers, if available. Object
HttpRequest.ResponseStatus The HTTP response status code, if available. Number
TokenOwner The access token subject as a SCIM resource, as obtained by the access token validator. Object

When handling an outbound response, HTTP request data is only available if specifically provided by the API gateway plugin.

The following table identifies the fields that are associated with the HttpRequest.AccessToken attribute, which is populated by the access token validator.


These fields correspond approximately to the fields that are defined by the IETF Token Introspection specification, RFC 7662.

Attribute Description Type
access_token The actual access token from the client request. String
active Indicates whether this access token is currently active, as determined by the access token validator. Boolean
audience Identifies the recipients for whom the access token is intended. Typically, the authorization server sets this field to identify the resource servers that can accept the token. Array
client_id Client ID of the application that was granted the access token. String
expiration Date and time at which the access token expired. DateTime
issued_at Date and time at which the access token was issued. DateTime
issuer Token issuer. Typically, this value is a URI that identifies the authorization server. String
not_before Date and time before which a resource server does not accept an access token. DateTime
scope Identifies the list of scopes granted to this token. Collection
subject Token subject. This value represents a user identifier that the authorization server sets. String
token_owner User identifier that was resolved by the access token validator's token resource lookup method. This value is always a SCIM ID of the form <resource type>/<resource ID>. String
token_type Token type, as set by the authorization server. Typically, this value is bearer. String
user_token Flag that the access token validator sets to indicate the token was originally issued to a subject. If the flag is false, the token contains no subject and was issued directly to a client. Boolean
username Subject's user name. This value represents a user identifier that the authorization server sets. String

The following table identifies the fields that the HttpRequest.ClientCertificate attribute can contain.

Attribute Description Type
algorithm Name of the certificate signature algorithm, such as SHA256withRSA. String
algorithmOID Signature algorithm OID. String
issuer Distinguished name (DN) of the certificate issuer. String
notAfter Expiration date and time of the certificate. DateTime
notBefore Earliest date on which the certificate is considered valid. DateTime
subject DN of the certificate subject. String
subjectRegex Regular expression that must be matched by the subject field of the certificate to ensure that the certificate belongs to the requesting client. String
valid Indicates whether the SSL client certificate is valid. Boolean

The following table identifies the fields that the Gateway attribute can contain.

Attribute Description Type
_BasePath Portion of the HTTP request URI that matches the Sideband API Endpoint's base-path value. String
_TrailingPath Portion of the HTTP request URI that follows the _BasePath. String
base path parameters Parameters in a Sideband API Endpoint's base-path configuration property are included as fields of the Gateway attribute. String
base path parameters The Gateway attribute can contain multiple, arbitrary custom attributes that are defined by the policy-request-attribute of the Sideband API Endpoint configuration. String