You are designing an API architecture using Azure API Management (APIM).

You have a backend legacy API that returns XML data. You are exposing this API to external mobile developers who require JSON responses. Additionally, to protect the backend from being overwhelmed, you must restrict each developer to a maximum of 100 API calls per minute.

Which TWO APIM policies should you configure? (Select TWO)

Azure API Management uses policies to encapsulate common API behaviors. To satisfy the mobile developers' requirement for JSON, you apply the `xml-to-json` transformation policy on the outbound processing step. To protect the backend from being overwhelmed, you apply the `rate-limit-by-key` policy on the inbound processing step, setting it to 100 calls per 60 seconds, keyed by the developer's subscription ID. Quotas are generally for billing (e.g., per month), while rate limits are for protecting against spikes.