Plugins
The API Gateway supports a plugin system through Kong's plugin architecture. Plugins can be enabled globally, per-service, or per-route. The GatewayManagementService provides endpoints to enable, disable, and configure plugins dynamically at runtime.
Plugin Configuration
PluginConfig Properties
| Property | Type | Default | Description |
|---|---|---|---|
id | String | auto-generated | Plugin instance ID |
pluginName | String | required | Kong plugin name |
serviceName | String | null | Scope to a specific service |
routeName | String | null | Scope to a specific route |
enabled | boolean | true | Whether the plugin is active |
config | Map | null | Plugin-specific configuration |
Plugin Scoping
Plugins can be applied at three levels:
| Scope | Behavior |
|---|---|
| Global | Applies to all routes and services (neither serviceName nor routeName set) |
| Service | Applies to all routes of a specific service (serviceName set) |
| Route | Applies to a specific route only (routeName set) |
Enable a Plugin
Endpoint: POST /api/v1/gateway/plugins
Global Plugin
curl -X POST http://localhost:8080/api/v1/gateway/plugins \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"pluginName": "cors",
"enabled": true,
"config": {
"origins": ["*"],
"methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
"headers": ["Authorization", "Content-Type", "X-Tenant-ID"],
"max_age": 3600
}
}'Service-Scoped Plugin
curl -X POST http://localhost:8080/api/v1/gateway/plugins \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"pluginName": "request-size-limiting",
"serviceName": "ai-service",
"enabled": true,
"config": {
"allowed_payload_size": 10,
"size_unit": "megabytes"
}
}'Route-Scoped Plugin
curl -X POST http://localhost:8080/api/v1/gateway/plugins \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"pluginName": "response-transformer",
"routeName": "bi-service-route",
"enabled": true,
"config": {
"add": {
"headers": ["X-Cache-Status:MISS"]
}
}
}'Update Plugin Configuration
Endpoint: PATCH /api/v1/gateway/plugins/:pluginId
curl -X PATCH http://localhost:8080/api/v1/gateway/plugins/abc-123 \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"origins": ["https://app.matih.ai", "https://admin.matih.ai"],
"max_age": 7200
}'Disable a Plugin
Endpoint: DELETE /api/v1/gateway/plugins/:pluginId
curl -X DELETE http://localhost:8080/api/v1/gateway/plugins/abc-123 \
-H "Authorization: Bearer ${TOKEN}"Common Plugins
| Plugin | Purpose | Typical Scope |
|---|---|---|
cors | Cross-origin resource sharing | Global |
advanced-rate-limiter | Per-tenant rate limiting | Global / Service |
jwt | JWT token validation | Global |
request-size-limiting | Limit request payload size | Service |
response-transformer | Modify response headers/body | Route |
request-transformer | Modify request headers/body | Route |
traffic-mirror | Mirror traffic to shadow service | Route |
ip-restriction | Allow/deny by IP address | Service / Route |
bot-detection | Detect and block bots | Global |
correlation-id | Add correlation ID headers | Global |
prometheus | Export Prometheus metrics | Global |
Plugin Execution Order
Kong plugins execute in a defined order based on plugin priority. The execution order for common plugins is:
correlation-id(add request tracking)ip-restriction(block disallowed IPs)bot-detection(block bots)jwt(authenticate)advanced-rate-limiter(enforce rate limits)request-transformer(modify request)request-size-limiting(validate payload)- Proxy to upstream
response-transformer(modify response)prometheus(record metrics)
Plugin configuration is stored in Kong's internal database. The gateway management API acts as a wrapper around the Kong Admin API for programmatic control. All plugin changes take effect within seconds without requiring a gateway restart.