The SOAPMessageValidation policy does the following:
Validates any XML message against their XSD schemas
Validates SOAP messages against a WSDL definition
Determines well-formedness of JSON and XML messages
While the name of this policy in the UI isSOAPMessageValidation, the policy validates more
than just SOAP messages. This section refers to the policy as theMessageValidation policy.
Message validation provides the following benefits:
Immediately informsapp developers that are consuming your API if their
requests are non-conformant or incomplete.
Pinpoints issuesin requests, such as XML tags that are not properly
closed.
Protects backend servicesby blocking XML or SOAP messages with structures
that might cause unpredictable behavior.
Reduces timespent troubleshooting, searching forums, or consulting with
tech support.
Encourages developersto familiarize themselves with the XML schema WSDL
definition to eliminate validation errors, making well-understood XML schemas a key component
of your API documentation.
This policy is aStandard policyand can be deployed to any environment type. For
information on policy types and availability with each environment type, seePolicy types.
Videos
Watch the following videos to learn more about the MessageValidation policy:
This element has the following attributes that are common to all policies:
Attribute
Default
Required?
Description
name
N/A
Required
The internal name of the policy. The value of thenameattribute can
contain letters, numbers, spaces, hyphens, underscores, and periods. This value cannot
exceed 255 characters.
Optionally, use the<DisplayName>element to label the policy in
the management UI proxy editor with a different, natural-language name.
continueOnError
false
Optional
Set tofalseto return an error when a policy fails. This is expected behavior for
most policies. Set totrueto have flow execution continue even after a policy
fails. See also:
Send aPOSTrequest to your API proxy with your XML as the message
payload, as the following example shows:
curl -v -X POST -H 'Content-Type: application/xml' http://my-test.apigee.net/v1/xsd-mock
-d '<note>
<to>Fred Rogers</to>
<from>Nick Danger</from>
<heading>Greetings from my neighborhood</heading>
<body>Just writing to say hello.</body>
</note>'
Notice that theContent-typeheader is set toapplication/xml.
You can also create a data file for the payload and reference it with a command
similar to the following:
You should receive anHTTP 200response. Depending on your target endpoint,
you might receive addditional details about the request. For example, if you usehttp://httpbin.org/postas your target endpoint and specify-v(verbose) output, the response should be similar to the following:
To verify that your XSD validation is working, try inserting another tag into the body of
your request. For example:
curl -v -X POST -H 'Content-Type: application/xml' http://my-test.apigee.net/v1/xsd-mock
-d '<note>
<to>Fred Rogers</to>
<from>Nick Danger</from>
<heading>Greetings from my neighborhood</heading>
<body>Just writing to say hello.</body><badTag>Not good</badTag></note>'
You should receive a validation error.
2: SOAP Validation
You can use the Message Validation policy to validate a SOAP message request's payload
against a WSDL.
Create a new WSDLresource file.
For example, "example-wsdl.wsdl":
You should receive anHTTP 200response. Depending on your target endpoint,
you might receive addditional details about the request. For example, if you usehttp://httpbin.org/postas your target endpoint, the response should be similar
to the following:
You can use the Message Validation policy to confirm that a JSON or XML message payload
is well-formed (not the same asvalidation). The policy ensures that the structure
and content meets accepted standards, including:
There is a single root element
There are no illegal characters in the content
Objects and tags are properly nested
Beginning and ending tags match
To check for a well-formed XML or JSON payload:
Add the SOAP Message Validation policy to your proxy endpoint's pre-flow.
Send aPOSTrequest to your API proxy, as the following example shows:
curl -v -X POST -H 'Content-Type: application/json' http://my-test.apigee.net/v1/xsd-mock
-d '{
"note": {
"to": "Fred Rogers",
"from": "Nick Danger",
"header": "Greetings from my neighborhood",
"body": "Just writing to say hello."
}
}'
Notice that theContent-typeheader is set toapplication/json.
To check anXML filefor well-formedness, use XML as the message payload and
setContent-typetoapplication/xml.
You should receive anHTTP 200response. When you send a message payload
that does not contain well-formed XML or JSON, you should receive asteps.messagevalidation.Failederror.
The value of<ResourceURL>must point to aresource
filein your API proxy. It cannot refer to external resources over HTTP or HTTPS.
If you do not specify a value for<ResourceURL>, the message is checked for well-formed JSON
or XML if theContent-typeheader isapplication/jsonorapplication/xml,
respectively.
The<ResourceURL>element has no child elements or attributes.
Using XSDs for validation
If the XML payload that you validate with the MessageValidation policy referencesanotherschema, you must prefix the included XSD file withxsdin theschemaLocationattribute.
The following example schema is comprised of multiple XSDs:
Identifies the source message to be validated. The value of this element is the name of the
message that you want to validate.
If you do not set<Source>, this policy defaults tomessage, which refers to the complete
request message (in a request flow) or response message (in a response flow), including any
payload. You can also explicitly set it torequestorresponseto refer to the request or
response.
In addition tomessage,request, andresponse, you can set the value of<Source>to the name of any message in your flow. If you do this, though, you must create a
custom message with that name in your flow before this policy executes. Otherwise, you will get
an error.
If the value of<Source>cannot be resolved in the message flow or resolves to a non-message
type, then one of the following occurs:
If a null value:Apigee throws asteps.messagevalidation.SourceMessageNotAvailableerror.
If a non-message type:Apigee throws asteps.messagevalidation.NonMessageVariableerror.
The<Source>element has no attributes or child elements.
Error codes
This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error.
This information is important to know if you are developing fault rules to
handle faults. To learn more, seeWhat you need to know
about policy errorsandHandling
faults.
Runtime errors
These errors can occur when the policy executes.
Fault code
HTTP status
Cause
Fix
steps.messagevalidation.SourceMessageNotAvailable
500
This error occurs if a variable specified in the<Source>element
of the policy is either:
out of scope (not available in the specific flow where the policy is being executed)
This error occurs if the<Source>element in the SOAPMessageValidation
policy is set to a variable which is not of typemessage.
Message type variables represent entire HTTP requests and responses. The built-in Apigee
flow variablesrequest,response, andmessageare of type message. To learn more
about message variables, see theVariables reference.
This error occurs if the SOAPMessageValidation policy fails to validate the input message
payload against the XSD schema or WSDL definition. It will also occur if there is malformed
JSON or XML in the payload message.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-12-17 UTC."],[],[]]
