There are no mandatory policies.

Let me say it more clearly: There are no policies that Apigee establishes as mandatory. There are customers of Apigee that establish policies as mandatory for their proxies. Apigee is not involved in those decisions. There are multiple ways a customer could enforce or verify that decision. For example they could use flowhooks or they could use static analysis, or some combination to ensure that Proxies deployed to their Apigee environments comply with their requirements.

In particular, OAuth token verification is not required.

Apigee Edge provides a general purpose, intelligent, configurable API proxy. If you want to wrap OAuth token verification around your API, then you can do that. IF you prefer to use HMAC (HttpSignature) security around your APIs, then you can do that in lieu of OAuth. If you want to do something else, that's also up to you.

There are some things that Apigee proxies do, in all cases. But we don't consider them to be "policies". for example, every Apigee Edge API proxy collects analytics data for every request. This happens implicitly, and you won't see a "policy" in the API Proxy editor representing this action. Apigee Edge also will perform certificate verification for endpoints, if you've configured SSL.

in summary, there are some things that Apigee Edge does, for every request, but these deal with transport issues, or with analytics, and are not policies.