API access control is often categorized in terms of granularity.

Access control granularity type Description


Users or clients have access to all of or none of an application or API.


Users or clients have access to some pages or resources within an application or API.


Users or clients can take specific actions on an application page or an API resource when action-specific conditions are met.

For example, a request to transfer bank funds might be denied if the amount exceeds the average of recent transfers by 20% or more.


For this tutorial, you are the producer of an online game in which players compete with friends to create the funniest meme. When starting a new game, the first player optionally invites other players using their email addresses. To prevent email spam, you must create a policy that blocks a user from starting a new game with other players if the user's email address comes from a generic mail domain.

Game activities are represented using an example Meme Game API.


The above link directs you to the Meme Game API Git project, where you can build and run the API. You can access the API server with specific API paths, such as meme-game.com/api/v1/answers.


This tutorial teaches you how to configure two fine-grained API access control rules by walking you through the following tasks:

  1. Configure a reverse proxy for the Meme Game API.
  2. Test the reverse proxy.
  3. Add a policy for the Meme Game API's Create Game endpoint.
  4. Test the policy from the Policy Editor.
  5. Test the reverse proxy by making an HTTP request.
  6. Modify the rule for the Meme Game API's Create Game endpoint.

The following sections provide the details for completing these tasks.