Use the exclude-attributes statement to define a list of attributes to exclude from the HTTP response body in an inbound request or outbound response. This statement applies to permit decisions produced by custom API Access Management policies.

Tip:

If your protected API is changing over time, consider using the include-attributes statement instead of the exclude-attributes statement. The include-attributes statement is a safer choice that continues to work when you add new attributes to your API.

Screen capture showing the Exclude Attributes statement, including the statement name, description, code, payload, and the kinds of decisions the statement applies to.

Code

exclude-attributes

Payload

The payload for this statement is a JSON array of attribute names. This statement limits the attributes in the response body returned to the requester by removing attributes that are listed in the payload.

  • If an attribute has descendants, they are also removed from the response body.
  • If a single JSONPath expression represents multiple attributes, all of the represented attributes are removed from the response.

Format: [ "attribute-to-exclude", "attribute-to-exclude" ]

Example

The following payload instructs the decision service to remove the amount attribute from the HTTP response body.

Example payload: [ "amount" ]

Original body:

{
"ID": "123456",
"amount": "999",
"type": "Savings"
}

Modified body:

{
"ID": "123456",
"type": "Savings"
}