---
title: Policies
description: Understand what policies are and how to create them.
documentId: policies
locale: en-US
---

Policies are tools for managing two aspects of the event reception and distribution process:

* **Publisher authorization:** security validations ensure that only authorized publishers can send events to the Events Hub.
* **Event delivery:** automatic retries that the system should perform if the first event delivery attempt fails.

## Policy listing

The **Policies** screen displays all existing policies in order of creation. In the **Order by** field, you can select the desired sorting option:

* **Creation (desc):** default. Lists policies from the most recent to the oldest creation date.

* **Creation (asc):** lists policies from the oldest to the most recent creation date.

* **Name (desc):** lists policies alphabetically, from Z to A.

* **Name (asc):** lists policies alphabetically, from A to Z.

You can also search for policies by name using the **NAME** field.

The **DETAILS** column contains the ![Expand Icon](https://creative-ball-51b3fc85c0.media.strapiapp.com/icon_expand_62b33f1187.png) icon, which displays the settings of the selected policy.

The **ACTIONS** column contains icons for editing and deleting policies.

![Policies Details](https://creative-ball-51b3fc85c0.media.strapiapp.com/policies_details_e03647c112.png)

## Security options

Interceptors are used for publisher authorization. Five types are available:

* **Access Token Validation**
* **Client ID Validation**
* **OAuth Validation**
* **JWT Validation**
* **IP Filtering Validation**

Authorization endpoints are defined by [context](/docs/events-hub/contexts) on the [Authorizations](/docs/events-hub/authorizations) screen. It has two sections:

* **OAUTH:** For the *OAuth Validation*, *Client ID Validation*, and *Access Token Validation* interceptors.
* **JWT:** For the *JWT Validation* interceptor.

<Callout type="IMPORTANT" title="IMPORTANT">
Using security interceptors is optional. However, if you add policies to your handler, you must configure the authorization URL linked to the interceptor.
Except for "IP Filtering Validation," all depend on this configuration to function.
If you plan to use the *Sensedia API Platform* for this, see how to [obtain the authorization URL](/docs/events-hub/authorizations#obtaining-the- authorization-url-using-the-sensedia-api-platform).
 </Callout>

## Automatic delivery retries

When the first attempt to deliver an event to a subscriber fails, the Events Hub can retry delivery based on the registered settings. These settings include:

* Number of attempts (up to 10 times).
* HTTP status codes that trigger a retry.
* Request timeout.

The Events Hub retries delivery until it succeeds or reaches the maximum number of automatic attempts defined in the settings. To increase delivery chances, the system uses the exponential backoff algorithm, which increases the wait time between retries to avoid network congestion.

If all automatic attempts fail, you can manually retry delivery through the [Delivery Retry](/docs/events-hub/delivery-retry) screen.

## Creating a policy

To create a new policy:

<Steps>
  <Step>
   Click the **[+]** button.
  </Step>
  <Step>
   Fill in **Name** and **Description** (optional).
The name must be unique. You cannot create two policies with the same name.
  </Step>
  <Step>
   If desired, configure security and delivery options for the policy. See below:
  </Step>
</Steps>

### Security

The **HANDLER PUBLISHER SECURITY FLOW** section includes the security interceptors that can be added to the flow.

<Callout type="TIP" title="TIP">
See how to use the *Sensedia API Platform* to provide [publisher authorization](/docs/events-hub/authorizations#obtaining-the- authorization-url-using-the-sensedia-api-platform).
 </Callout>

Click the ![Add Icon](https://creative-ball-51b3fc85c0.media.strapiapp.com/icon_add_869e47d193.png) icon next to the interceptor you want to apply. You can add more than one interceptor.

Available interceptors are listed below:

<Tabs defaultTab="client">
  <TabList label="client">
    <Tab tabId="client">Client ID Validation</Tab>
    <Tab tabId="token">Access Token Validation</Tab>
    <Tab tabId="oauth">OAuth Validation</Tab>
    <Tab tabId="jwt">JWT Validation</Tab>
    <Tab tabId="ip">IP Filtering Validation</Tab>
  </TabList>
  <TabPanel tabId="client">
   #### Client ID Validation
   Validates a client ID passed in the request. When selected, you must specify:

   - **Location:** Where the client ID will be passed, such as any (all options selected), cookie, header, or query param.

  - **Name:** The name under which the client ID value will be passed.

    ![Client ID and Token Validation](https://creative-ball-51b3fc85c0.media.strapiapp.com/policies_clientid_token_jwt_edbc889e67.png)   
  </TabPanel>
  <TabPanel tabId="token">
   #### Access Token Validation
   Validates an access token passed in the request. When selected, you must specify:
    
   - **Location:** Where the access token will be passed, such as any (all options selected), cookie, header, or query param.
    
   - **Name:** The name under which the access token value will be passed.

  </TabPanel>
  <TabPanel tabId="oauth">
   #### OAuth Validation
   Validates `client_id` and `access_token` passed in the request headers.

  The URL providing validation must be included on the [Authorizations](/docs/events-hub/authorizations) page, and no fields need to be registered.  
  ![OAuth Validation](https://creative-ball-51b3fc85c0.media.strapiapp.com/policies_oauth_3b226298dd.png)
  </TabPanel>
  <TabPanel tabId="jwt">
  #### JWT Validation
  Validates the JWT token (sent in the Bearer format) passed in the request.
  The URL providing validation must be included on the [Authorizations](/docs/events-hub/authorizations) page.
  When selected, you must specify:

  - **Location:** Where the token will be passed, such as header, default JWT header, or query param.

  - **Name:** The name under which the token value will be passed.
        
  </TabPanel>
  <TabPanel tabId="ip">
  #### IP Filtering Validation
  A list of IPs that can or cannot send requests.

  - In the **List Type** field, choose between:

     - Block List: A list of IPs whose requests will be blocked.

     - Allow List: A list of IPs allowed to send requests.

 - **IP List:** Add IPs separated by commas.

 ![IP Filtering Validation](https://creative-ball-51b3fc85c0.media.strapiapp.com/policies_ip_filtering_0c829bf766.png)

  </TabPanel>  
</Tabs>

Selected interceptors are displayed in the **Execution Flow** section. You can:

- Edit them by clicking the pencil icon.
- Disable them by clicking the minus icon.
- Reorder them by dragging the interceptor to the desired position.

Validations occur in the order they appear on the screen. If any validation fails, the request is interrupted.

![Execution Flow](https://creative-ball-51b3fc85c0.media.strapiapp.com/policies_flow_0794eb94ed.png)

### Delivery settings

The **Delivery Settings** section defines the maximum number of automatic retry attempts and the status codes that trigger these attempts.

Configure the fields:

- **Automatic Retry Quantity:** the number of automatic attempts if the first delivery fails. Up to 10 attempts are allowed.

- **Requisition Timeout:** the maximum wait time for the subscriber URL's response during each delivery attempt. Up to 30 seconds.

- **Status Code For Automatic Retry:** HTTP status codes that should trigger an automatic retry.

  - Separate multiple codes with commas.

  - Use "xx" to register a family of codes, e.g., `4xx, 5xx`.

  - Codes in the `200` family are not accepted because `2xx` responses indicate successful delivery and do not require retries.

![Retry Settings](https://creative-ball-51b3fc85c0.media.strapiapp.com/policies_retry_settings_62e3b5afff.png)

### Recommended status codes

The **Status Code for Automatic Retry** field allows codes from the `400` and `500` families.
However, not all are suitable for retries.
Below are recommended and non-recommended codes:

**Recommended**


| Status Code | Description               | Retry Makes Sense?  | Reason                                     |
|-------------|---------------------------|---------------------|--------------------------------------------|
| **408**     | Request Timeout           | Yes                 | The server did not respond in time.        |
| **429**     | Too Many Requests         | Yes                 | The user sent too many requests.           |
| **500**     | Internal Server Error     | Yes                 | Temporary server failure.                  |
| **502**     | Bad Gateway               | Yes                 | Invalid response from an upstream server.  |
| **503**     | Service Unavailable       | Yes                 | Server unavailable due to maintenance.     |
| **504**     | Gateway Timeout           | Yes                 | Intermediate server did not respond.       |

**Not Recommended**


| Status Code | Description               | Retry Makes Sense?  | Reason                                     |
|-------------|---------------------------|---------------------|--------------------------------------------|
| **400**     | Bad Request               | No                  | Malformed request.                         |
| **401**     | Unauthorized              | No                  | Authentication required or failed.         |
| **403**     | Forbidden                 | No                  | Client lacks permission to perform action. |
| **404**     | Not Found                 | No                  | Requested resource not found.              |