Use the include-attributes statement to define an allowed list of attributes to include in the HTTP response body in an inbound request or outbound response. This statement applies to permit decisions produced by custom API Access Management policies.

Screen capture showing the Include Attributes statement, including the statement name, description, code, payload, and the kinds of decisions the statement applies to.




The payload for this statement is a JSON array of attribute names. This statement limits the attributes in the response body returned to the requester by removing attributes that are not listed in the payload.

  • If a listed attribute has ancestors, the response also includes the ancestors.
  • If a single JSONPath expression represents multiple attributes, the response includes all of the represented attributes.
  • If a policy result returns multiple instances of include-attributes statements, the response includes the union of all selected attributes.

Format: [ "attribute-to-include", "attribute-to-include" ]


The following payload instructs the decision point to remove the type attribute from the HTTP response body.

Example payload: [ "ID", "amount" ]

Original body:

"ID": "123456",
"amount": "999",
"type": "Savings"

Modified body:

"ID": "123456",
"amount": "999"