# API Policies

API Policies are used to authenticate API callers with API keys or OAuth bearer token, as well as to manage the logging and throttling options for the endpoints.

<figure><img src="/files/MhJRIqbqkbEYT6hKSrWA" alt=""><figcaption><p>API Policy for setting up API key authentication.</p></figcaption></figure>

API Policies allow you to define the targeted API endpoints that the policy applies to. It can also target the endpoints through implicit wildcard if only the beginning of a URL is specified.

### API Authentication

For each API Policy, either one or more authentication methods can be defined, ranging from externally defined OAuth providers to locally defined API keys. In addition, the APIs can be set to be publicly available, requiring no authentication. In Frends, the lack of authentication method setup or API Policy for your API does not mean public access, but rather no access. An API Policy is required to be set up to allow anyone to connect to it.

### Logging policies

Finally, you can add a **logging configuration** to the API policy, to define whether or not API events should be logged for the targeted endpoints in specified Environments, and what details are logged.

<figure><img src="/files/MhQVB0tkFUx5k8NFg8J1" alt=""><figcaption><p>API logging configuration options.</p></figcaption></figure>

Like with authentication, not setting up a logging policy will mean no logging for the APIs. This is to avoid increasing load and storage requirements by default, and only enabling logging will give you access to it.

This only applies for the API connection logging, available in API Monitoring. Linked Processes in your APIs will be logged as per the Environment log settings.

### Combining policies

Combining the freely defined targeted endpoints, public access identity rule and logging options, the policies makes it possible to define purely logging-specific policies in addition to authentication policies. If multiple policies target the same endpoints, it is possible to separate authentication, logging and throttling options into multiple policies, as well as creating global policies that set up the default values for your Environments.

[Check here for a guide on how to create an API Policy](/guides/api-management/setting-up-api-policies.md), and for full details on API Policies, [check out our API Policy reference documentation](/reference/api-management/api-policies.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.frends.com/frends-development/api-management/api-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.