Policies

Stoma’s power comes from its extensive library of built-in policies. Policies are named, prioritized Hono middleware handlers that you can compose into pipelines to handle every aspect of your API’s behavior.

Policy Categories

Browse policies by category to find the right building blocks for your gateway.

Authentication

Secure your API with industry-standard auth mechanisms.

• JWT & JWKS
• API Key
• OAuth2 Introspection
• RBAC
• HTTP Signatures (RFC 9421)

Traffic Control

Manage and protect your API traffic at scale.

• Rate Limiting
• Caching
• IP & Geo Filtering
• JSON/Regex Threat Protection
• Traffic Shadowing

Resilience

Ensure your API stays healthy even when upstreams fail.

• Circuit Breakers
• Retries
• Timeouts
• Latency Injection

Transformation

Modify requests and responses on the fly.

• CORS
• Request/Response Rewriting
• JSON Validation
• Content Assignment

Observability

Monitor your gateway’s performance and health.

• Structured Logging
• Prometheus Metrics
• Health Checks

Custom Policies

Extend Stoma with your own logic using the Policy SDK.

• Writing Custom Policies
• Policy SDK Reference

---

How Policies Execute

Policies in a pipeline execute based on a numeric priority (lowest number first). This ensures that critical tasks like logging and authentication always happen before downstream transforms or proxying.

Priority	Category	Examples
0	Observability	requestLog
10	Authentication	jwtAuth, apiKeyAuth
20	Rate Limiting	rateLimit
40	Caching	cache
95	Proxy	proxy

Learn more about the Policy System