Insites Docs Instance APIAuthorization PoliciesCreating an Authorization Policy

Creating an Authorization Policy

Last updated on April 09, 2026.

Creating an Authorization Policy defines a reusable security rule you can attach to one or more Custom API Endpoints. Each policy evaluates incoming requests against your custom logic, granting or denying access before your endpoint code runs.

  1. Navigate to API from the main menu.
  2. Select Authorization Policies.
  3. Select CREATE AUTHORIZATION POLICY.
  4. Fill out the Details tab (explained below).
  5. Switch to the Body tab and write your policy logic.
  6. Select CREATE POLICY to save.

Details

The Details tab controls the policy identity and how it responds when access is denied. The File Path drives the system Name field, which is what you will see when assigning this policy to Custom API Endpoints.

Input LabelTypeRequiredDescription
Policy NameTextYesA descriptive display name for the policy. Used to identify it in the list view and when assigning to endpoints.
Flash AlertTextNoThe message shown to users when this policy blocks their request.
File PathText with folder pickerYesThe file location for the policy. Use the folder picker to select the correct module path.
NameText (read-only)NoThe system identifier for the policy, derived automatically from the File Path. This is the name you will see when assigning the policy to Custom API Endpoints.
HTTP StatusNumberNoThe HTTP status code returned when the policy blocks a request. For example, use 403 for Forbidden.
Redirect ToTextNoA URL to redirect users to when access is denied. Your Instance URL is shown as a prefix for reference.
Note

The Name field is generated from the File Path and cannot be edited directly. This is the identifier you will see when assigning the policy to Custom API Endpoints.

Body

The Body tab contains the Liquid logic that determines whether a request is allowed. When the expression evaluates to true, access is granted and the request proceeds to the endpoint. When it evaluates to anything else, access is denied and the policy response (Flash Alert, HTTP Status, or Redirect To) is applied.

Input LabelTypeRequiredDescription
ContentCode editorYesThe Liquid logic that defines the policy condition. Return true to grant access, or any other value to deny it.
Have a suggestion for this page?

Didn't quite find what you are looking for or have feedback on how we can make the content better then we would love to hear from you. Please provide us feedback and we will get back to you shortly.