Parameter mapping and verification rules
Learn how API Gateway maps, verifies, and forwards HTTP request parameters between clients and backend services in pass-through and mapping modes.
1. Overview
API Gateway maps, verifies, and forwards HTTP request parameters between clients and backend services. This topic covers the processing rules for each parameter location and request mode. Function Compute backends follow separate rules described in Use Function Compute as the backend service of an API.
API Gateway supports three request modes:
Pass-through: Forwards all parameters except
Pathto the backend without mapping or verification (section 3).Map (Filter Out Unknown Parameters): Verifies and maps all request parameters based on the API definition. Unknown parameters are filtered out (
section 4).Map (Pass-through Unknown Parameters): Same as Filter Out mode, but unknown parameters are forwarded to the backend instead of being dropped (
section 5).
2. Parameter locations and reading rules
API Gateway reads system parameters, user-configured constant parameters, and parameters from different locations of an HTTP request.
2.1 path parameters
API Gateway extracts parameters from segmented paths in HTTP requests. To use path parameters, configure the API request path in /path/[parameter] format. API Gateway then matches the incoming path against this pattern.
Configured request path | Input data | Extracted data |
/request/to/[path] | /request/to/user1 | path=user1 |
/[path1]/[path2]. | /group1/user1 | path1=group1, path2=user1 |
/[root]/* | /root/user1 | root=root |
/[root] | /root/user1 | No match |
Input data that violates RFC 3986 returns Error code:I400PH: Invalid Request Path. Request URIs exceeding 128 KB return Error code:I413RL: Request Url too Large.
2.2 query parameters
query parameters are extracted from the query string of a request. API Gateway splits key-value pairs by = and &, then applies UTF-8 URL decoding. Both ?a= and ?a are treated as empty strings ("").
Input data | Extracted data |
?a=1&b=2 | a: "1", b: "2" |
?a=1&a=2 | a: ["1", "2"]. If this parameter is of a data type other than |
?a | a: "" |
?a= | a: "" |
?=a&b=1 | b: "1". API Gateway ignores the |
Input data that violates RFC 3986 returns
Error code:I400PH: Invalid Request Path.Request URIs exceeding 128 KB return
Error code:I413RL: Request Url too Large.
2.3 formData parameters
formData parameters are extracted from the request body when Content-Type is application/x-www-form-urlencoded. API Gateway encodes using the charset= value in Content-Type, defaulting to UTF-8. Form splitting follows the same rules as query strings.
If the Content-Type parameter is set to multipart/formdata, API Gateway supports parameters of the FILE type.
2.4 header parameters
header parameters are read from HTTP request headers. For example, X-User: aaa is parsed as X-User=aaa. Special rules:
Leading and trailing spaces in header values are trimmed.
If multiple headers share the same name, they are parsed as an array when the type is
ARRAY. Otherwise, only the first value is used.API Gateway uses
ISO-8859-1encoding to read and forward headers. Invalid characters may cause garbled characters or other unexpected results.
2.5 host parameters
host parameters require a wildcard domain name bound to an API group with a configured template. For example, with template ${user}.api.foo.com, a request to 1234.api.foo.com yields user=1234. Multiple templates are supported; API Gateway uses the first match. Unmatched requests produce no host parameters.
Configured wildcard domain name template | Request host | Extracted data |
| 123.api.io | User: "123" |
| 123.g01.api.io | User: "123" Group: "g01" |
| 123.api.io | User: "123" |
| 123.admin.api.io | Admin: "123" |
| 123.u00.api.io | User: "123"GroupId: "u00" |
| 123.admin.api.io | User: "123"Group: "admin" |
In the last row of the preceding table, ${User}.${Group}.api.io is matched and therefore ${Admin}.admin.api.io is ignored.
3. Pass-through
Pass-through mode supports GET, PUT, POST, DELETE, PATCH, HEAD, and OPTIONS methods.
3.1 Forward client requests to a backend service
In pass-through mode, API Gateway forwards requests to the backend after signature and authorization processing. The following rules apply by parameter location:
Path: If the API request path uses the
/path/to/[user]format, you can map it to a backend path such as/path/backend/[user]. API Gateway extracts the frontend path parameter and maps it to the backend path.QueryString: Passed through unchanged, preserving the original sequence and format.
Header: All headers except system headers and
X-Ca--prefixed headers are passed through. API Gateway usesISO-8859-1to read and forward headers, so invalid characters may cause unexpected results. System and reserved header processing is described insection 6.Body: Forwarded as-is. A custom
Content-Typein the API configuration overrides the client-provided value.
3.2 Forward backend responses to a client
In pass-through mode, API Gateway forwards the HTTP response from the backend service to the client. On failure, API Gateway returns an error code. For more information about error codes, see Error codes. Forwarding rules by parameter type:
StatusCode: Passed through from the backend response.
Header: API Gateway filters or adds
system headersandX-Ca--prefixedreserved headers, then passes all other backend response headers (section 6).Body: Forwarded to the client. If
Content-Typeis empty, defaults toapplication/oct-stream.
You can use an error mapping plug-in to change error codes that are returned to clients. For more information, see Error code mapping plug-in.
4. Map (Filter Out Unknown Parameters)
In this mode, API Gateway verifies and maps request parameters based on API configurations and filters out unknown parameters. To forward undefined parameters instead, use section 5. This mode supports verification and mapping in the query, header, host, path, and formData locations.
4.1 Parameter types
The following table lists the supported parameter types.
Type | Description | Format | Verification methods |
String | Strings | Unlimited | Minimum length, maximum length, enumeration, and regular expression |
Integer | 32-bit integers |
| Minimum value, maximum value, and enumeration |
Long | 64-bit integers |
| Minimum value, maximum value, and enumeration |
Double | Floating-point numbers |
| Minimum value and maximum value |
Boolean | Boolean values |
| |
File | Files | For | Minimum length and maximum length |
Array | Arrays | Refer to array field types. | Verification of array field types |
Parameters of the FLOAT type are processed in the same way as parameters of the DOUBLE type.
4.2 Configuration of parameter verification
Configure parameter verification in the
API Gateway console, throughOpenAPI Explorer, or byimporting a Swagger file.
Item | Description | Field in OpenAPI Explorer | Field in Swagger |
Parameter name | Required. The name must be unique in an API. | ApiParameterName | name |
Parameter location | Required. | Location | location |
Parameter type | Optional. The default type is | ParameterType | type |
Array field type | Optional. This item is required only if the parameter type is | ArrayItemsType | items.type |
Required or not | Optional. The default value is | Required | required |
The default value. | Optional. An empty string that is enclosed in a pair of double quotation marks ( | DefaultValue | default |
Maximum value | Optional. The input value must be | MaxValue | maximum |
Minimum value | Optional. The input value must be | MinValue | minimum |
Maximum length | Optional. This item is valid only if the parameter type is | MaxLength | maxLength |
Minimum length | Optional. This item is valid only if the parameter type is | MinLength | minLength |
Regular expression | Optional. This item is valid only if the parameter type is | RegularExpression | pattern |
Enumeration value | Optional. | EnumValue | enum |
OpenAPI Explorer configuration: Front-end input parameters.
Swagger file import: Import Swagger files to create APIs with API Gateway extensions.
Matching rules for parameter verification:
OpenAPI Explorer and Swagger define parameter types differently. This topic follows the
Swaggerstandard.If you do not set the parameter type, the default type
STRINGis used.If the value is entered in a format other than the supported format, the error
I400IP Invalid Parameteris reported.If a required parameter is missing from the request, API Gateway returns
I400MP Invalid Parameter Requried.Optional parameters can have default values. If a client omits such a parameter, API Gateway passes the default to the backend. An empty string (
"") is not a valid default value.For
queryorformDataparameters specified asaora=(e.g.,?b=1&a), API Gateway treats the value as an empty string (""):If the parameter is required, no error is returned.
If the parameter is optional and a default value is configured for it, API Gateway passes an empty string rather than the default value to the backend service.
If the parameter type is
INTEGER,LONG,FLOAT, orDOUBLEand the input value is an empty string that is enclosed in a pair of double quotation marks (""), the parameter is considered missing.If this parameter is required, API Gateway rejects the request and returns the error
400: <I400MP> Invalid Parameter Requried.If this parameter is optional and has a default value, API Gateway passes the default value to the backend service.
The minimum length must be
greater than or equal tothe required minimum, and the maximum length must beless than or equal tothe required maximum. You can configure either or both. These constraints take effect only when values are greater than0.The maximum length of a regular expression is 40 characters.
STRING and INTEGER parameters support
enumerated valuesseparated by commas, e.g.,john,jack,tom,tony. Out-of-range values returnI400IP: Invalid Parameter.ARRAYparameters are supported only inquery string,body, orheaderlocations. Verification rules apply to each element. The element type defaults to STRING.
4.3 Backend mapping rules
Set the
Backend Parameter LocationandBackend Parameter Nameto configure how API Gateway maps parameters when forwarding to the backend.Parameter types are used for verification only. API Gateway does not change the parameter format when forwarding. For example, a DOUBLE parameter with input
a=1remainsa=1(not converted toa=1.0).ARRAYparameters can map toquery string,body, orheaderlocations. API Gateway expands arrays into multiple parameters or headers, e.g.,a=1,2becomesa=1&a=2.The query string that is passed to a backend service is encoded by using
UTF-8 URL encoding.For requests with formData parameters, API Gateway encodes the body as
application/x-www-form-urlencoded; charset=utf-8ormultipart/formdata; charset=utf-8.Requests with
FILEparameters usemultipart/formdata; charset=utf-8. All others useapplication/x-www-form-urlencoded; charset=utf-8.A custom
Content-Typein the backend definition overrides the default. If the custom value isapplication/x-www-form-urlencoded; charset=???ormultipart/formdata; charset=???, the specified charset is used. Other Content-Type values skip special encoding.
Header parameters are encoded and forwarded using
ISO8859-1.
4.4 Forward backend responses to the client
API Gateway forwards the HTTP response from the backend service to the client. On failure, API Gateway returns an error code. Troubleshoot errors using Exception handling of API Gateway. Forwarding rules by parameter type:
StatusCode: Passed through from the backend response.
Header: API Gateway filters or adds
system headersandX-Ca--prefixedreserved headers, then passes all other backend response headers (section 6).Body: Forwarded to the client. If
Content-Typeis empty, defaults toapplication/oct-stream.
Use an error mapping plug-in to change error codes returned to clients. Plug-ins of the Error Mapping type.
5. Map (Pass-through Unknown Parameters)
The Map (Filter Out Unknown Parameters) mode discards unknown parameters, while Map (Pass-through Unknown Parameters) mode forwards them to the backend. Both modes share the same verification and mapping logic.
6. Processing rules for HTTP headers
In most cases, all X-Ca--prefixed headers are reserved by API Gateway and filtered for special processing. Do not use X-Ca- prefixes for custom headers, as they will be filtered or may cause unexpected behavior.
HeaderName | Processing in request | Processing in response |
Connection | Rebuilt | Rebuilt |
Keep-Alive | Rebuilt | Rebuilt |
Proxy-Authenticate | Rebuilt | Rebuilt |
Proxy-Authorization | Rebuilt | Rebuilt |
Trailer | Rebuilt | Rebuilt |
TE | Rebuilt | Rebuilt |
Transfer-Encoding | Rebuilt | Rebuilt |
Upgrade | Rebuilt | Rebuilt |
Host | Rebuilt | |
Authorization | Verified and mapped or passed through (If the backend service is an HTTP function, this header is overridden by the Authorization field of the HTTP function.) | |
Date | Passed through or affixed a default value | |
Content-Type | Mapped or passed through | Passed through or affixed a default value |
Content-Length | Mapped or passed through | |
Content-MD5 | Verified and passed through | |
Via | Added an API Gateway record | |
X-Forwarded-For | Affixed to the right the IP address of the client | |
X-Forwarded-Proto | Added the client request protocol, such as 'http', 'https', 'ws', or 'wss' | |
User-Agent | Passed through or added an API Gateway UserAgent | |
Server | Passed through or added a default value |
Headers marked as rebuilt are not passed through. API Gateway sets a defined value for them.
In pass-through mode, unlisted headers are forwarded to the backend. In mapping mode, all headers except default HTTP headers are filtered out.
By default, all response headers that are not listed in the table are passed through to clients.