REST API / API Gateway

API Gateway with Corules Policy Enforcement Middleware

Deploy Corules as middleware in your API gateway (AWS API Gateway, Kong, Azure APIM). Every request to business APIs (create refund, transfer funds, approve PO) is validated against policy before reaching the backend.

Overview

This integration connects REST API / API Gateway with Corules's policy enforcement runtime. Your existing REST API / API Gateway workflows call Corules's REST API (or MCP server) to enforce policy constraints before any business action completes.

All policy logic stays in Corules — your REST API / API Gateway configuration only needs to call the endpoint and route based on the ALLOW / BLOCK / ESCALATE response.

Setup steps

  1. 1

    Add a Corules Lambda Authorizer (AWS) or Plugin (Kong) to your API gateway

  2. 2

    Configure the authorizer to extract actor identity from the Authorization header (JWT)

  3. 3

    Map incoming request payload to Corules context schema in the authorizer configuration

  4. 4

    The authorizer calls Corules Gate 2; ALLOW passes the request, BLOCK/ESCALATE returns 403/202 with policy reason

  5. 5

    Log Corules audit_id as a response header for end-to-end correlation

Code example

The following snippet shows how to call Corules from REST API / API Gateway. Replace YOUR_USE_CASE_ID and YOUR_API_KEY with your tenant credentials.

// AWS Lambda Authorizer calling Corules
exports.handler = async (event) => {
  const token = event.authorizationToken.replace('Bearer ', '');
  const body = JSON.parse(event.requestBody || '{}');

  const result = await guardrail.validate({
    useCase: deriveUseCase(event.resource, event.httpMethod),
    actor: token,  // verified JWT
    context: extractContext(body),
    decision: extractDecision(body),
    correlationId: event.requestContext.requestId,
    idempotencyKey: event.headers['X-Idempotency-Key'],
  });

  if (result.outcome === 'ALLOW') {
    return generateAllow(token, { auditId: result.audit_id });
  } else if (result.outcome === 'ESCALATE') {
    return {
      statusCode: 202,
      body: JSON.stringify({
        message: 'Decision escalated for review',
        audit_id: result.audit_id,
      })
    };
  } else {
    return generateDeny(token, result.violations[0].explanation);
  }
};

Language: javascript

Frequently Asked Questions

What is the latency impact of adding Corules to the API gateway?

CEL evaluation is sub-10ms. Network latency to Corules API depends on deployment topology. For lowest latency, deploy Corules in the same region as your API gateway.

Connect REST API / API Gateway to Corules

Start free — integration templates are available on every plan.

Get started free