Azure API Management – Liquid Template – Escape XML Characters


Create an API that allows creation of customer in backend ERP.

API should be accessible publicly and secured.


  1. ERP is SAP and is located on a on-premise network.
  2. BizTalk is used as middleware to connect to SAP and is also located on-premise. BizTalk doesn’t have a public endpoint available.
  3. Azure API Management is deployed in Azure cloud without direct connection to on-premise network.


  1. BizTalk to leverage WCF-BasicHttpRelay to Azure Service Bus to be able to have public endpoint.

2. Azure API management to convert the JSON Request to XML message using Liquid Template.

3. Azure API management to send the request to Azure Service Bus.

4. BizTalk receives the request in XML and send the request to SAP.


If the JSON request contains XML reserved characters: & < > ‘ the request is failing in Azure API management.


Add the following to the policy:

<!–Replace Reserved XML characters from Request Body–>

<find-and-replace from=”&amp;” to=”&amp;amp;” />

<find-and-replace from=”&gt;” to=”&amp;gt;” />

<find-and-replace from=”&lt;” to=”&amp;lt;” />

<find-and-replace from=”&apos;” to=”&amp;apos;” />

Azure API Management – How to set basic authentication in SendRequest

Scenario: I have both username and password stored in name value configuration of API management but I need to use it in SendRequest policy.

Source Code:

<set-variable name=“userName” value=“{{username}}” />

<set-variable name=“password” value=“{{password}}” />

<set-variable name=“basicAuthDetails” value=”@{

var username = context.Variables.GetValueOrDefault<string>(“userName”);

var password = context.Variables.GetValueOrDefault<string>(“password”);

return System.Convert.ToBase64String(System.Text.Encoding.GetEncoding(“ISO-8859-1”).GetBytes(username + “:” + password));


<set-variable name=“jsonPayload” value=”@{

JObject transBody = new JObject();

//Add all json Property

transBody.Add(“test”, JToken.FromObject(new[]


 “test data”



<send-request mode=“new” response-variable-name=“var” ignore-error=“false”>


        var url = context.Api.ServiceUrl+ “/{someURL}”;

       return url;



<set-header name=“Authorization” exists-action=“override”>



<set-header name=“Content-Type” exists-action=“override”>



<set-body template=“none”>@(context.Variables.GetValueOrDefault<string>(“jsonPayload”))</set-body>



That is how you can set basic authentication in SendRequest in Azure API Management.

Azure API Management Policy – Asynchronous API as Synchronous API

Below is the link to reference/examples of using Azure API management policy

There’s an example there on how to Mask Asynchronous calls as Synchronous API however for my requirement it’s not enough.

The target API behaves as follow:

  1. All operations are POST and asynchronous.
  2. To get the results of any operation a second API needs to be called and it’s expecting the transaction id.
  3. API expects a payload in command manner (args parameter) instead of proper JSON name/value pair.

Requirement: API should return the results in synchronous manner.


API Callout Policy in API Management.


  1. Create a GET operation and via policy rewrite the operation to POST
  2. Create a JSON transformation logic in the inbound policy and execute the backend API.
  3. Create a JSON transformation logic in outbound policy and add a retry policy to execute the second API  that returns the result passing the transaction id from #2
  4. Return the results from second API.

Policy Code:

<base />
<set-header name="Content-Type" exists-action="override">
<!-- Save authorization data to variable, to be used in outbound status request -->
<set-variable name="authorization" value="@(context.Request.Headers.GetValueOrDefault("Authorization"))" />
Construct the payload
var paramFromRequest = Uri.UnescapeDataString(context.Request.OriginalUrl.Query.GetValueOrDefault("paramFromRequest"));
JObject transBody = new JObject();
     new JObject
         {"someproperty", "fixvalue"},
         {"someproperty2", "fixvalue2"},

//Add all json properties as arg
transBody.Add("args", JToken.FromObject(new[] 
return transBody.ToString();
<trace source="debug">@(context.Request.Body.As<string>(true))</trace>
<!--Remove additional query string -->
<set-query-parameter name="paramFromRequest" exists-action="delete" />
<rewrite-uri template="{{FIRSTBACKENDAPI_URL}}" />
<base />
<base />
<!-- Get the Key from response -->
<set-variable name="jsonPayload" value="@{ 
JObject inBody = context.Response.Body.As<JObject>();
var transactionId= inBody["transactionId"].ToString(); 
string jsonString = "{\"transactionId\":\"_transactionId\" }";
var json = jsonString.Replace("_transactionId", transactionId);
return json;
}" />
<retry condition="@( Convert.ToBoolean(context.Variables.GetValueOrDefault<JObject>("status")["{{PROPERTYNAME IN JSON OBJECT RESPONSE}}"]))" count="10" interval="1">
<!-- Call Status API to get the results-->
<send-request mode="new" response-variable-name="var" ignore-error="false">
var url = context.Api.ServiceUrl+ "{{SECONDBACKENDAPI_URL}}";
return url;
<set-header name="Authorization" exists-action="override">
<set-header name="Content-Type" exists-action="override">
<set-body template="none">@(context.Variables.GetValueOrDefault<string>("jsonPayload"))</set-body>
<set-variable name="results" value="@(((IResponse)context.Variables["var"]).Body.As<JObject>())" />
<set-body template="none">@((context.Variables.GetValueOrDefault<JObject>("results")["{{PROPERTYNAME IN JSON OBJECT THAT CONTAINS THE RESULT}}"].ToString()))</set-body>
<base />