For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.
Configuration schema explorer
Explore the agentgateway standalone configuration schema interactively, including nested fields and validation details.
Generated from the agentgateway JSON schema.
- config
- enableIpv6boolean
- dns
- lookupFamilystring
- edns0boolean
- localXdsPathstring
- caAddressstring
- caAuthTokenstring
- xdsAddressstring
- xdsAuthTokenstring
- namespacestring
- gatewaystring
- trustDomainstring
- additionalTrustDomainsstring
- skipValidateTrustDomainboolean
- serviceAccountstring
- clusterIdstring
- networkstring
- adminAddrstring
- statsAddrstring
- readinessAddrstring
- session
- *keystring
- mcp
- sessionTtlstring
- connectionTerminationDeadlinestring
- connectionMinTerminationDeadlinestring
- workerThreadsstring
- tracing
- otlpEndpointstring
- headersobject
- otlpProtocolstring
- fields
- removestring[]
- addobject
- randomSamplingstring|number|boolean
- clientSamplingstring|number|boolean
- pathstring
- logging
- filterstring
- fields
- removestring[]
- addobject
- levelstring[]
- formatstring
- metrics
- removestring[]
- fields
- addobject
- backend
- keepalives
- enabledboolean
- timestring
- intervalstring
- retriesinteger
- connectTimeoutstring
- poolIdleTimeoutstring
- poolMaxSizeinteger
- hbone
- windowSizeinteger
- connectionWindowSizeinteger
- frameSizeinteger
- poolMaxStreamsPerConninteger
- poolUnusedReleaseTimeoutstring
- frontendPolicies
- http
- maxBufferSizeinteger
- http1MaxHeadersinteger
- http1IdleTimeoutstring
- http1HeaderCasestring
- http2WindowSizeinteger
- http2ConnectionWindowSizeinteger
- http2FrameSizeinteger
- http2MaxHeaderSizeinteger
- http2KeepaliveIntervalstring
- http2KeepaliveTimeoutstring
- maxConnectionDurationstring
- tls
- handshakeTimeoutstring
- alpnarray[]
- minVersionstring
- maxVersionstring
- cipherSuitesstring[]
- keyExchangeGroupsstring[]
- tcp
- *keepalives
- enabledboolean
- timestring
- intervalstring
- retriesinteger
- networkAuthorization
- *rulesstring[]
- proxyProtocol
- versionstring
- modestring
- accessLog
- filterstring
- addobject
- removestring[]
- otlp
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- tracing
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- binds
- *portinteger
- *listeners
- namestring
- namespacestring
- hostnamestring
- protocolstring
- tls
- *certstring
- *keystring
- rootstring
- cipherSuitesstring[]
- minTLSVersionstring
- maxTLSVersionstring
- keyExchangeGroupsstring[]
- routes
- namestring
- namespacestring
- ruleNamestring
- hostnamesstring[]
- matches
- headers
- *namestring
- *value
- *exactstring
- path
- *exactstring
- methodstring
- query
- *namestring
- *value
- *exactstring
- policies
- requestHeaderModifier
- addobject
- setobject
- removestring[]
- responseHeaderModifier
- addobject
- setobject
- removestring[]
- requestRedirect
- schemestring
- authority
- *fullstring
- path
- *fullstring
- statusinteger
- urlRewrite
- authority
- *fullstring
- path
- *fullstring
- requestMirror
- *backend
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- *percentagenumber
- directResponse
- *conditional
- conditionstring
- bodyarray|string
- bodyExpressionstring
- headersobject
- *statusinteger
- cors
- allowCredentialsboolean
- allowHeadersstring[]
- allowMethodsstring[]
- allowOriginsstring[]
- exposeHeadersstring[]
- maxAgestring
- mcpAuthorization
- *rulesstring[]
- authorization
- *rulesstring[]
- mcpAuthentication
- *issuerstring
- *audiencesstring[]
- provider
- *auth0object
- *resourceMetadataobject
- *jwks
- *filestring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- jwtValidationOptions
- requiredClaimsstring[]
- clientIdstring
- a2aobject
- ai
- promptGuard
- request
- *regex
- actionstring
- *rules
- *builtinstring
- response
- *regex
- actionstring
- *rules
- *builtinstring
- defaultsobject
- overridesobject
- transformationsobject
- prompts
- append
- *rolestring
- *contentstring
- prepend
- *rolestring
- *contentstring
- modelAliasesobject
- promptCaching
- cacheSystemboolean
- cacheMessagesboolean
- cacheToolsboolean
- minTokensinteger
- cacheMessageOffsetinteger
- routesobject
- backendTLS
- certstring
- keystring
- rootstring
- hostnamestring
- insecureboolean
- insecureHostboolean
- alpnstring[]
- subjectAltNamesstring[]
- keyExchangeGroupsstring[]
- backendTunnel
- *proxy
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- backendAuth
- *passthrough
- location
- *header
- *namestring
- prefixstring
- localRateLimit
- *conditional
- conditionstring
- maxTokensinteger
- tokensPerFillinteger
- *fillIntervalstring
- typestring
- remoteRateLimit
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- jwtAuth
- modestring
- location
- *header
- *namestring
- prefixstring
- *providers
- *issuerstring
- audiencesstring[]
- *jwks
- *filestring
- jwtValidationOptions
- requiredClaimsstring[]
- oidc
- *issuerstring
- discovery
- *filestring
- authorizationEndpointstring
- tokenEndpointstring
- tokenEndpointAuthstring
- jwks
- *filestring
- *clientIdstring
- *clientSecretstring
- *redirectURIstring
- scopesstring[]
- basicAuth
- *htpasswd
- *filestring
- realmstring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- apiKey
- *keys
- *keystring
- metadata
- modestring
- location
- *header
- *namestring
- prefixstring
- extAuthz
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- extProc
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- transformations
- *conditional
- conditionstring
- request
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- response
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- csrf
- additionalOriginsstring[]
- timeout
- requestTimeoutstring
- backendRequestTimeoutstring
- retry
- attemptsinteger
- backoffstring
- *codesinteger[]
- backends
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- tcpRoutes
- namestring
- namespacestring
- ruleNamestring
- hostnamesstring[]
- policies
- backendTLS
- certstring
- keystring
- rootstring
- hostnamestring
- insecureboolean
- insecureHostboolean
- alpnstring[]
- subjectAltNamesstring[]
- keyExchangeGroupsstring[]
- backends
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- policies
- oidc
- *issuerstring
- discovery
- *filestring
- authorizationEndpointstring
- tokenEndpointstring
- tokenEndpointAuthstring
- jwks
- *filestring
- *clientIdstring
- *clientSecretstring
- *redirectURIstring
- scopesstring[]
- jwtAuth
- modestring
- location
- *header
- *namestring
- prefixstring
- *providers
- *issuerstring
- audiencesstring[]
- *jwks
- *filestring
- jwtValidationOptions
- requiredClaimsstring[]
- extAuthz
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- extProc
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- transformations
- *conditional
- conditionstring
- request
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- response
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- basicAuth
- *htpasswd
- *filestring
- realmstring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- apiKey
- *keys
- *keystring
- metadata
- modestring
- location
- *header
- *namestring
- prefixstring
- tunnelProtocolstring
- llm
- portinteger
- *models
- *namestring
- params
- modelstring
- apiKey
- *filestring
- awsRegionstring
- vertexRegionstring
- vertexProjectstring
- azureResourceNamestring
- azureResourceTypestring
- azureApiVersionstring
- azureProjectNamestring
- baseUrlstring
- hostOverridestring
- pathOverridestring
- pathPrefixstring
- tokenizeboolean
- *provider
- *custom
- modelstring
- *formats
- *typestring
- pathstring
- defaultsobject
- overridesobject
- transformationobject
- requestHeaders
- addobject
- setobject
- removestring[]
- responseHeaders
- addobject
- setobject
- removestring[]
- tls
- certstring
- keystring
- rootstring
- hostnamestring
- insecureboolean
- insecureHostboolean
- alpnstring[]
- subjectAltNamesstring[]
- keyExchangeGroupsstring[]
- auth
- *passthrough
- location
- *header
- *namestring
- prefixstring
- health
- unhealthyExpressionstring
- eviction
- durationstring
- restoreHealthnumber
- consecutiveFailuresinteger
- healthThresholdnumber
- backendTunnel
- *proxy
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- guardrails
- request
- *regex
- actionstring
- *rules
- *builtinstring
- response
- *regex
- actionstring
- *rules
- *builtinstring
- matches
- headers
- *namestring
- *value
- *exactstring
- policies
- oidc
- *issuerstring
- discovery
- *filestring
- authorizationEndpointstring
- tokenEndpointstring
- tokenEndpointAuthstring
- jwks
- *filestring
- *clientIdstring
- *clientSecretstring
- *redirectURIstring
- scopesstring[]
- jwtAuth
- modestring
- location
- *header
- *namestring
- prefixstring
- *providers
- *issuerstring
- audiencesstring[]
- *jwks
- *filestring
- jwtValidationOptions
- requiredClaimsstring[]
- extAuthz
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- extProc
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- transformations
- *conditional
- conditionstring
- request
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- response
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- basicAuth
- *htpasswd
- *filestring
- realmstring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- apiKey
- *keys
- *keystring
- metadata
- modestring
- location
- *header
- *namestring
- prefixstring
- authorization
- *rulesstring[]
- localRateLimit
- maxTokensinteger
- tokensPerFillinteger
- *fillIntervalstring
- typestring
- remoteRateLimit
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- mcp
- portinteger
- *targets
- *sse
- hoststring
- portinteger
- pathstring
- backendstring
- statefulModestring
- prefixModestring
- failureModestring
- policies
- requestHeaderModifier
- addobject
- setobject
- removestring[]
- responseHeaderModifier
- addobject
- setobject
- removestring[]
- requestRedirect
- schemestring
- authority
- *fullstring
- path
- *fullstring
- statusinteger
- urlRewrite
- authority
- *fullstring
- path
- *fullstring
- requestMirror
- *backend
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- *percentagenumber
- directResponse
- *conditional
- conditionstring
- bodyarray|string
- bodyExpressionstring
- headersobject
- *statusinteger
- cors
- allowCredentialsboolean
- allowHeadersstring[]
- allowMethodsstring[]
- allowOriginsstring[]
- exposeHeadersstring[]
- maxAgestring
- mcpAuthorization
- *rulesstring[]
- authorization
- *rulesstring[]
- mcpAuthentication
- *issuerstring
- *audiencesstring[]
- provider
- *auth0object
- *resourceMetadataobject
- *jwks
- *filestring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- jwtValidationOptions
- requiredClaimsstring[]
- clientIdstring
- a2aobject
- ai
- promptGuard
- request
- *regex
- actionstring
- *rules
- *builtinstring
- response
- *regex
- actionstring
- *rules
- *builtinstring
- defaultsobject
- overridesobject
- transformationsobject
- prompts
- append
- *rolestring
- *contentstring
- prepend
- *rolestring
- *contentstring
- modelAliasesobject
- promptCaching
- cacheSystemboolean
- cacheMessagesboolean
- cacheToolsboolean
- minTokensinteger
- cacheMessageOffsetinteger
- routesobject
- backendTLS
- certstring
- keystring
- rootstring
- hostnamestring
- insecureboolean
- insecureHostboolean
- alpnstring[]
- subjectAltNamesstring[]
- keyExchangeGroupsstring[]
- backendTunnel
- *proxy
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- backendAuth
- *passthrough
- location
- *header
- *namestring
- prefixstring
- localRateLimit
- *conditional
- conditionstring
- maxTokensinteger
- tokensPerFillinteger
- *fillIntervalstring
- typestring
- remoteRateLimit
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- jwtAuth
- modestring
- location
- *header
- *namestring
- prefixstring
- *providers
- *issuerstring
- audiencesstring[]
- *jwks
- *filestring
- jwtValidationOptions
- requiredClaimsstring[]
- oidc
- *issuerstring
- discovery
- *filestring
- authorizationEndpointstring
- tokenEndpointstring
- tokenEndpointAuthstring
- jwks
- *filestring
- *clientIdstring
- *clientSecretstring
- *redirectURIstring
- scopesstring[]
- basicAuth
- *htpasswd
- *filestring
- realmstring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- apiKey
- *keys
- *keystring
- metadata
- modestring
- location
- *header
- *namestring
- prefixstring
- extAuthz
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- extProc
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- transformations
- *conditional
- conditionstring
- request
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- response
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- csrf
- additionalOriginsstring[]
- timeout
- requestTimeoutstring
- backendRequestTimeoutstring
- retry
- attemptsinteger
- backoffstring
- *codesinteger[]
- policies
- *name
- *namestring
- *namespacestring
- *target
- *gateway
- *gatewayNamestring
- *gatewayNamespacestring
- listenerNamestring
- portinteger
- phasestring
- *policy
- requestHeaderModifier
- addobject
- setobject
- removestring[]
- responseHeaderModifier
- addobject
- setobject
- removestring[]
- requestRedirect
- schemestring
- authority
- *fullstring
- path
- *fullstring
- statusinteger
- urlRewrite
- authority
- *fullstring
- path
- *fullstring
- requestMirror
- *backend
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- *percentagenumber
- directResponse
- *conditional
- conditionstring
- bodyarray|string
- bodyExpressionstring
- headersobject
- *statusinteger
- cors
- allowCredentialsboolean
- allowHeadersstring[]
- allowMethodsstring[]
- allowOriginsstring[]
- exposeHeadersstring[]
- maxAgestring
- mcpAuthorization
- *rulesstring[]
- authorization
- *rulesstring[]
- mcpAuthentication
- *issuerstring
- *audiencesstring[]
- provider
- *auth0object
- *resourceMetadataobject
- *jwks
- *filestring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- jwtValidationOptions
- requiredClaimsstring[]
- clientIdstring
- a2aobject
- ai
- promptGuard
- request
- *regex
- actionstring
- *rules
- *builtinstring
- response
- *regex
- actionstring
- *rules
- *builtinstring
- defaultsobject
- overridesobject
- transformationsobject
- prompts
- append
- *rolestring
- *contentstring
- prepend
- *rolestring
- *contentstring
- modelAliasesobject
- promptCaching
- cacheSystemboolean
- cacheMessagesboolean
- cacheToolsboolean
- minTokensinteger
- cacheMessageOffsetinteger
- routesobject
- backendTLS
- certstring
- keystring
- rootstring
- hostnamestring
- insecureboolean
- insecureHostboolean
- alpnstring[]
- subjectAltNamesstring[]
- keyExchangeGroupsstring[]
- backendTunnel
- *proxy
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- backendAuth
- *passthrough
- location
- *header
- *namestring
- prefixstring
- localRateLimit
- *conditional
- conditionstring
- maxTokensinteger
- tokensPerFillinteger
- *fillIntervalstring
- typestring
- remoteRateLimit
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- jwtAuth
- modestring
- location
- *header
- *namestring
- prefixstring
- *providers
- *issuerstring
- audiencesstring[]
- *jwks
- *filestring
- jwtValidationOptions
- requiredClaimsstring[]
- oidc
- *issuerstring
- discovery
- *filestring
- authorizationEndpointstring
- tokenEndpointstring
- tokenEndpointAuthstring
- jwks
- *filestring
- *clientIdstring
- *clientSecretstring
- *redirectURIstring
- scopesstring[]
- basicAuth
- *htpasswd
- *filestring
- realmstring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- apiKey
- *keys
- *keystring
- metadata
- modestring
- location
- *header
- *namestring
- prefixstring
- extAuthz
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- extProc
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- transformations
- *conditional
- conditionstring
- request
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- response
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- csrf
- additionalOriginsstring[]
- timeout
- requestTimeoutstring
- backendRequestTimeoutstring
- retry
- attemptsinteger
- backoffstring
- *codesinteger[]
- workloads
- services
- backends
- *hoststring
- routeGroups
- *namestring
- *routes
- namestring
- namespacestring
- ruleNamestring
- hostnamesstring[]
- matches
- headers
- *namestring
- *value
- *exactstring
- path
- *exactstring
- methodstring
- query
- *namestring
- *value
- *exactstring
- policies
- requestHeaderModifier
- addobject
- setobject
- removestring[]
- responseHeaderModifier
- addobject
- setobject
- removestring[]
- requestRedirect
- schemestring
- authority
- *fullstring
- path
- *fullstring
- statusinteger
- urlRewrite
- authority
- *fullstring
- path
- *fullstring
- requestMirror
- *backend
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- *percentagenumber
- directResponse
- *conditional
- conditionstring
- bodyarray|string
- bodyExpressionstring
- headersobject
- *statusinteger
- cors
- allowCredentialsboolean
- allowHeadersstring[]
- allowMethodsstring[]
- allowOriginsstring[]
- exposeHeadersstring[]
- maxAgestring
- mcpAuthorization
- *rulesstring[]
- authorization
- *rulesstring[]
- mcpAuthentication
- *issuerstring
- *audiencesstring[]
- provider
- *auth0object
- *resourceMetadataobject
- *jwks
- *filestring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- jwtValidationOptions
- requiredClaimsstring[]
- clientIdstring
- a2aobject
- ai
- promptGuard
- request
- *regex
- actionstring
- *rules
- *builtinstring
- response
- *regex
- actionstring
- *rules
- *builtinstring
- defaultsobject
- overridesobject
- transformationsobject
- prompts
- append
- *rolestring
- *contentstring
- prepend
- *rolestring
- *contentstring
- modelAliasesobject
- promptCaching
- cacheSystemboolean
- cacheMessagesboolean
- cacheToolsboolean
- minTokensinteger
- cacheMessageOffsetinteger
- routesobject
- backendTLS
- certstring
- keystring
- rootstring
- hostnamestring
- insecureboolean
- insecureHostboolean
- alpnstring[]
- subjectAltNamesstring[]
- keyExchangeGroupsstring[]
- backendTunnel
- *proxy
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- backendAuth
- *passthrough
- location
- *header
- *namestring
- prefixstring
- localRateLimit
- *conditional
- conditionstring
- maxTokensinteger
- tokensPerFillinteger
- *fillIntervalstring
- typestring
- remoteRateLimit
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- jwtAuth
- modestring
- location
- *header
- *namestring
- prefixstring
- *providers
- *issuerstring
- audiencesstring[]
- *jwks
- *filestring
- jwtValidationOptions
- requiredClaimsstring[]
- oidc
- *issuerstring
- discovery
- *filestring
- authorizationEndpointstring
- tokenEndpointstring
- tokenEndpointAuthstring
- jwks
- *filestring
- *clientIdstring
- *clientSecretstring
- *redirectURIstring
- scopesstring[]
- basicAuth
- *htpasswd
- *filestring
- realmstring
- modestring
- authorizationLocation
- *header
- *namestring
- prefixstring
- apiKey
- *keys
- *keystring
- metadata
- modestring
- location
- *header
- *namestring
- prefixstring
- extAuthz
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- extProc
- *conditional
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
- transformations
- *conditional
- conditionstring
- request
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- response
- addobject
- setobject
- removestring[]
- bodystring
- metadataobject
- csrf
- additionalOriginsstring[]
- timeout
- requestTimeoutstring
- backendRequestTimeoutstring
- retry
- attemptsinteger
- backoffstring
- *codesinteger[]
- backends
- *service
- *name
- *namespacestring
- *hostnamestring
- *portinteger
config
No description for this field.
Validation
Defaultnull
config.enableIpv6
No description for this field.
config.dns
DNS resolver settings.
config.dns.lookupFamily
Controls which IP address families the DNS resolver will query for
upstream connections.
Accepted values: All, Auto, V4Preferred, V4Only, V6Only.
Defaults to Auto (IPv4-only when enableIpv6 is false, both when true).
upstream connections.
Accepted values: All, Auto, V4Preferred, V4Only, V6Only.
Defaults to Auto (IPv4-only when enableIpv6 is false, both when true).
Validation
ConstAll
config.dns.edns0
Whether to enable EDNS0 (Extension Mechanisms for DNS) in the resolver.
When
Can also be set via the
When
None, the system-provided resolver setting is preserved.Can also be set via the
DNS_EDNS0 environment variable.config.localXdsPath
Local XDS path. If not specified, the current configuration file will be used.
config.caAddress
No description for this field.
config.caAuthToken
No description for this field.
config.xdsAddress
No description for this field.
config.xdsAuthToken
No description for this field.
config.namespace
No description for this field.
config.gateway
No description for this field.
config.trustDomain
No description for this field.
config.additionalTrustDomains
Comma-separated list of additional SPIFFE trust domains accepted on inbound HBONE
connections. The local trust_domain is always implicitly included.
connections. The local trust_domain is always implicitly included.
config.skipValidateTrustDomain
When true, skip SPIFFE trust-domain verification on inbound HBONE connections.
config.serviceAccount
No description for this field.
config.clusterId
No description for this field.
config.network
No description for this field.
config.adminAddr
Admin UI address in the format "ip:port", "localhost:port", "unix:/path/to/socket", or "off"
config.statsAddr
Stats/metrics server address in the format "ip:port", "localhost:port", "unix:/path/to/socket", or "off"
config.readinessAddr
Readiness probe server address in the format "ip:port", "localhost:port", "unix:/path/to/socket", or "off"
config.session
Configuration for stateful session management
config.session.key
The AES-256-GCM session protection key to be used for session tokens.
If not set, sessions will not be encrypted.
For example, generated via
If not set, sessions will not be encrypted.
For example, generated via
openssl rand -hex 32.config.mcp
MCP gateway settings.
config.mcp.sessionTtl
No description for this field.
Validation
Defaultnull
config.connectionTerminationDeadline
No description for this field.
Validation
Defaultnull
config.connectionMinTerminationDeadline
No description for this field.
Validation
Defaultnull
config.workerThreads
No description for this field.
config.tracing
No description for this field.
config.tracing.otlpEndpoint
No description for this field.
config.tracing.headers
No description for this field.
Validation
Default{}
config.tracing.otlpProtocol
No description for this field.
Validation
Enumgrpc, http
Defaultgrpc
config.tracing.fields
No description for this field.
config.tracing.fields.remove
No description for this field.
Validation
Default[]
config.tracing.fields.add
No description for this field.
Validation
Default{}
config.tracing.randomSampling
Expression to determine the amount of *random sampling*.
Random sampling will initiate a new trace span if the incoming request does not have a trace already.
This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.
This defaults to 'false'.
Random sampling will initiate a new trace span if the incoming request does not have a trace already.
This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.
This defaults to 'false'.
config.tracing.clientSampling
Expression to determine the amount of *client sampling*.
Client sampling determines whether to initiate a new trace span if the incoming request does have a trace already.
This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.
This defaults to 'true'.
Client sampling determines whether to initiate a new trace span if the incoming request does have a trace already.
This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.
This defaults to 'true'.
config.tracing.path
OTLP path. Default is /v1/traces
config.logging
No description for this field.
config.logging.filter
No description for this field.
config.logging.fields
No description for this field.
config.logging.fields.remove
No description for this field.
Validation
Default[]
config.logging.fields.add
No description for this field.
Validation
Default{}
config.logging.level
No description for this field.
config.logging.format
No description for this field.
Validation
Enumtext, json
config.metrics
No description for this field.
config.metrics.remove
No description for this field.
Validation
Default[]
config.metrics.fields
No description for this field.
config.metrics.fields.add
No description for this field.
Validation
Default{}
config.backend
No description for this field.
Validation
Default{"keepalives": {"enabled": true, "time": "3m0s", "interval": "3m0s", "retries": 9}, "connectTimeout": "10s", "poolIdleTimeout": "1m30s", "poolMaxSize": null}
config.backend.keepalives
No description for this field.
Validation
Default{"enabled": true, "time": "3m0s", "interval": "3m0s", "retries": 9}
config.backend.keepalives.enabled
No description for this field.
Validation
Defaulttrue
config.backend.keepalives.time
No description for this field.
Validation
Default3m0s
config.backend.keepalives.interval
No description for this field.
Validation
Default3m0s
config.backend.keepalives.retries
No description for this field.
Validation
Default9
Formatuint32
Minimum0
config.backend.connectTimeout
No description for this field.
Validation
Default10s
config.backend.poolIdleTimeout
The maximum duration to keep an idle connection alive.
Validation
Default1m30s
config.backend.poolMaxSize
The maximum number of connections allowed in the pool, per hostname. If set, this will limit
the total number of connections kept alive to any given host.
Note: excess connections will still be created, they will just not remain idle.
If unset, there is no limit
the total number of connections kept alive to any given host.
Note: excess connections will still be created, they will just not remain idle.
If unset, there is no limit
Validation
Defaultnull
Formatuint
Minimum0
config.hbone
No description for this field.
config.hbone.windowSize
No description for this field.
Validation
Formatuint32
Minimum0
config.hbone.connectionWindowSize
No description for this field.
Validation
Formatuint32
Minimum0
config.hbone.frameSize
No description for this field.
Validation
Formatuint32
Minimum0
config.hbone.poolMaxStreamsPerConn
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
config.hbone.poolUnusedReleaseTimeout
No description for this field.
frontendPolicies
No description for this field.
frontendPolicies.http
Settings for handling incoming HTTP requests.
Validation
Defaultnull
frontendPolicies.http.maxBufferSize
No description for this field.
Validation
Default2097152
Formatuint
Minimum0
frontendPolicies.http.http1MaxHeaders
The maximum number of headers allowed in a request. Changing this value results in a performance
degradation, even if set to a lower value than the default (100)
degradation, even if set to a lower value than the default (100)
Validation
Defaultnull
Formatuint
Minimum0
frontendPolicies.http.http1IdleTimeout
No description for this field.
Validation
Default10m0s
frontendPolicies.http.http1HeaderCase
Preserves the original casing of HTTP/1 request header names when encoding responses on the same connection.
Validation
Enumlowercase, preserve
Defaultlowercase
frontendPolicies.http.http2WindowSize
No description for this field.
Validation
Defaultnull
Formatuint32
Minimum0
frontendPolicies.http.http2ConnectionWindowSize
No description for this field.
Validation
Defaultnull
Formatuint32
Minimum0
frontendPolicies.http.http2FrameSize
No description for this field.
Validation
Defaultnull
Formatuint32
Minimum0
frontendPolicies.http.http2MaxHeaderSize
No description for this field.
Validation
Defaultnull
Formatuint32
Minimum0
frontendPolicies.http.http2KeepaliveInterval
No description for this field.
Validation
Defaultnull
frontendPolicies.http.http2KeepaliveTimeout
No description for this field.
Validation
Defaultnull
frontendPolicies.http.maxConnectionDuration
Maximum duration a connection is allowed to remain open. After this duration,
the connection is gracefully closed after the current in-flight request completes.
Useful for ensuring even traffic distribution behind load balancers during scaling events.
the connection is gracefully closed after the current in-flight request completes.
Useful for ensuring even traffic distribution behind load balancers during scaling events.
Validation
Defaultnull
frontendPolicies.tls
Settings for handling incoming TLS connections.
Validation
Defaultnull
frontendPolicies.tls.handshakeTimeout
No description for this field.
Validation
Default15s
frontendPolicies.tls.alpn
No description for this field.
Validation
Defaultnull
frontendPolicies.tls.minVersion
No description for this field.
Validation
EnumTLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3
frontendPolicies.tls.maxVersion
No description for this field.
Validation
EnumTLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3
frontendPolicies.tls.cipherSuites
No description for this field.
frontendPolicies.tls.keyExchangeGroups
Key exchange groups allowed for negotiating TLS.
frontendPolicies.tcp
Settings for handling incoming TCP connections.
Validation
Defaultnull
frontendPolicies.tcp.keepalives
No description for this field.
frontendPolicies.tcp.keepalives.enabled
No description for this field.
Validation
Defaulttrue
frontendPolicies.tcp.keepalives.time
No description for this field.
Validation
Default3m0s
frontendPolicies.tcp.keepalives.interval
No description for this field.
Validation
Default3m0s
frontendPolicies.tcp.keepalives.retries
No description for this field.
Validation
Default9
Formatuint32
Minimum0
frontendPolicies.networkAuthorization
CEL authorization for downstream network connections.
Validation
Defaultnull
frontendPolicies.networkAuthorization.rules
No description for this field.
frontendPolicies.proxyProtocol
Enable downstream PROXY protocol handling on this gateway or port, including
version matching and whether PROXY headers are required or optional.
version matching and whether PROXY headers are required or optional.
Validation
Defaultnull
frontendPolicies.proxyProtocol.version
No description for this field.
Validation
Enumv1, v2, all
Defaultv2
frontendPolicies.proxyProtocol.mode
No description for this field.
Validation
Enumstrict, optional
Defaultstrict
frontendPolicies.accessLog
Settings for request access logs.
Validation
Defaultnull
frontendPolicies.accessLog.filter
No description for this field.
frontendPolicies.accessLog.add
No description for this field.
frontendPolicies.accessLog.remove
No description for this field.
Validation
Unique itemstrue
frontendPolicies.accessLog.otlp
Service reference. Service must be defined in the top level services list.
frontendPolicies.accessLog.otlp.service
No description for this field.
frontendPolicies.accessLog.otlp.service.name
No description for this field.
frontendPolicies.accessLog.otlp.service.name.namespace
No description for this field.
frontendPolicies.accessLog.otlp.service.name.hostname
No description for this field.
frontendPolicies.accessLog.otlp.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
frontendPolicies.tracing
Service reference. Service must be defined in the top level services list.
Validation
Defaultnull
frontendPolicies.tracing.service
No description for this field.
frontendPolicies.tracing.service.name
No description for this field.
frontendPolicies.tracing.service.name.namespace
No description for this field.
frontendPolicies.tracing.service.name.hostname
No description for this field.
frontendPolicies.tracing.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds
No description for this field.
binds.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners
No description for this field.
binds.listeners.name
No description for this field.
Validation
Defaultnull
binds.listeners.namespace
No description for this field.
Validation
Defaultnull
binds.listeners.hostname
Can be a wildcard
binds.listeners.protocol
No description for this field.
Validation
EnumHTTP, HTTPS, TLS, TCP, HBONE
binds.listeners.tls
No description for this field.
binds.listeners.tls.cert
No description for this field.
binds.listeners.tls.key
No description for this field.
binds.listeners.tls.root
No description for this field.
binds.listeners.tls.cipherSuites
Optional cipher suite allowlist (order is preserved).
binds.listeners.tls.minTLSVersion
Minimum supported TLS version (only TLS 1.2 and 1.3 are supported).
Validation
EnumTLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3
binds.listeners.tls.maxTLSVersion
Maximum supported TLS version (only TLS 1.2 and 1.3 are supported).
Validation
EnumTLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3
binds.listeners.tls.keyExchangeGroups
Key exchange groups allowed for negotiating TLS.
binds.listeners.routes
No description for this field.
binds.listeners.routes.name
No description for this field.
Validation
Defaultnull
binds.listeners.routes.namespace
No description for this field.
Validation
Defaultnull
binds.listeners.routes.ruleName
No description for this field.
Validation
Defaultnull
binds.listeners.routes.hostnames
Can be a wildcard
binds.listeners.routes.matches
No description for this field.
Validation
Default[{"path": {"pathPrefix": "/"}}]
binds.listeners.routes.matches.headers
No description for this field.
binds.listeners.routes.matches.headers.name
No description for this field.
binds.listeners.routes.matches.headers.value
No description for this field.
binds.listeners.routes.matches.headers.value.exact
No description for this field.
binds.listeners.routes.matches.path
No description for this field.
Validation
Default{"pathPrefix": "/"}
binds.listeners.routes.matches.path.exact
No description for this field.
binds.listeners.routes.matches.method
No description for this field.
binds.listeners.routes.matches.query
No description for this field.
binds.listeners.routes.matches.query.name
No description for this field.
binds.listeners.routes.matches.query.value
No description for this field.
binds.listeners.routes.matches.query.value.exact
No description for this field.
binds.listeners.routes.policies
No description for this field.
binds.listeners.routes.policies.requestHeaderModifier
Headers to be modified in the request.
Validation
Defaultnull
binds.listeners.routes.policies.requestHeaderModifier.add
No description for this field.
binds.listeners.routes.policies.requestHeaderModifier.set
No description for this field.
binds.listeners.routes.policies.requestHeaderModifier.remove
No description for this field.
binds.listeners.routes.policies.responseHeaderModifier
Headers to be modified in the response.
Validation
Defaultnull
binds.listeners.routes.policies.responseHeaderModifier.add
No description for this field.
binds.listeners.routes.policies.responseHeaderModifier.set
No description for this field.
binds.listeners.routes.policies.responseHeaderModifier.remove
No description for this field.
binds.listeners.routes.policies.requestRedirect
Directly respond to the request with a redirect.
Validation
Defaultnull
binds.listeners.routes.policies.requestRedirect.scheme
No description for this field.
binds.listeners.routes.policies.requestRedirect.authority
No description for this field.
binds.listeners.routes.policies.requestRedirect.authority.full
No description for this field.
binds.listeners.routes.policies.requestRedirect.path
No description for this field.
binds.listeners.routes.policies.requestRedirect.path.full
No description for this field.
binds.listeners.routes.policies.requestRedirect.status
No description for this field.
Validation
Formatuint16
Minimum1
Maximum65535
binds.listeners.routes.policies.urlRewrite
Modify the URL path or authority.
Validation
Defaultnull
binds.listeners.routes.policies.urlRewrite.authority
No description for this field.
binds.listeners.routes.policies.urlRewrite.authority.full
No description for this field.
binds.listeners.routes.policies.urlRewrite.path
No description for this field.
binds.listeners.routes.policies.urlRewrite.path.full
No description for this field.
binds.listeners.routes.policies.requestMirror
Mirror incoming requests to another destination.
Validation
Defaultnull
binds.listeners.routes.policies.requestMirror.backend
Service reference. Service must be defined in the top level services list.
binds.listeners.routes.policies.requestMirror.backend.service
No description for this field.
binds.listeners.routes.policies.requestMirror.backend.service.name
No description for this field.
binds.listeners.routes.policies.requestMirror.backend.service.name.namespace
No description for this field.
binds.listeners.routes.policies.requestMirror.backend.service.name.hostname
No description for this field.
binds.listeners.routes.policies.requestMirror.backend.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners.routes.policies.requestMirror.percentage
No description for this field.
Validation
Formatdouble
binds.listeners.routes.policies.directResponse
Directly respond to the request with a static response.
binds.listeners.routes.policies.directResponse.conditional
conditional policy entries. An entry without a condition must be the final fallback.
binds.listeners.routes.policies.directResponse.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
binds.listeners.routes.policies.directResponse.conditional.body
No description for this field.
binds.listeners.routes.policies.directResponse.conditional.bodyExpression
No description for this field.
binds.listeners.routes.policies.directResponse.conditional.headers
No description for this field.
binds.listeners.routes.policies.directResponse.conditional.status
No description for this field.
Validation
Formatuint16
Minimum1
Maximum65535
binds.listeners.routes.policies.cors
Handle CORS preflight requests and append configured CORS headers to applicable requests.
Validation
Defaultnull
binds.listeners.routes.policies.cors.allowCredentials
No description for this field.
Validation
Defaultfalse
binds.listeners.routes.policies.cors.allowHeaders
No description for this field.
Validation
Default[]
binds.listeners.routes.policies.cors.allowMethods
No description for this field.
Validation
Default[]
binds.listeners.routes.policies.cors.allowOrigins
No description for this field.
Validation
Default[]
binds.listeners.routes.policies.cors.exposeHeaders
No description for this field.
Validation
Default[]
binds.listeners.routes.policies.cors.maxAge
No description for this field.
Validation
Defaultnull
binds.listeners.routes.policies.mcpAuthorization
Authorization policies for MCP access.
Validation
Defaultnull
binds.listeners.routes.policies.mcpAuthorization.rules
No description for this field.
binds.listeners.routes.policies.authorization
Authorization policies for HTTP access.
Validation
Defaultnull
binds.listeners.routes.policies.authorization.rules
No description for this field.
binds.listeners.routes.policies.mcpAuthentication
Authentication for MCP clients.
binds.listeners.routes.policies.mcpAuthentication.issuer
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.audiences
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.provider
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.provider.auth0
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.resourceMetadata
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.jwks
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.jwks.file
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.mode
A valid token, issued by a configured issuer, must be present.
This is the default option.
This is the default option.
Validation
Conststrict
Defaultstrict
binds.listeners.routes.policies.mcpAuthentication.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
binds.listeners.routes.policies.mcpAuthentication.authorizationLocation.header
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.authorizationLocation.header.name
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.authorizationLocation.header.prefix
No description for this field.
binds.listeners.routes.policies.mcpAuthentication.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].binds.listeners.routes.policies.mcpAuthentication.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
binds.listeners.routes.policies.mcpAuthentication.clientId
No description for this field.
binds.listeners.routes.policies.a2a
Mark this traffic as A2A to enable A2A processing and telemetry.
Validation
Defaultnull
binds.listeners.routes.policies.ai
Mark this as LLM traffic to enable LLM processing.
Validation
Defaultnull
binds.listeners.routes.policies.ai.promptGuard
No description for this field.
binds.listeners.routes.policies.ai.promptGuard.request
No description for this field.
binds.listeners.routes.policies.ai.promptGuard.request.regex
No description for this field.
binds.listeners.routes.policies.ai.promptGuard.request.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
binds.listeners.routes.policies.ai.promptGuard.request.regex.rules
No description for this field.
binds.listeners.routes.policies.ai.promptGuard.request.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
binds.listeners.routes.policies.ai.promptGuard.response
No description for this field.
binds.listeners.routes.policies.ai.promptGuard.response.regex
No description for this field.
binds.listeners.routes.policies.ai.promptGuard.response.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
binds.listeners.routes.policies.ai.promptGuard.response.regex.rules
No description for this field.
binds.listeners.routes.policies.ai.promptGuard.response.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
binds.listeners.routes.policies.ai.defaults
No description for this field.
binds.listeners.routes.policies.ai.overrides
No description for this field.
binds.listeners.routes.policies.ai.transformations
No description for this field.
binds.listeners.routes.policies.ai.prompts
No description for this field.
Validation
Min properties1
binds.listeners.routes.policies.ai.prompts.append
No description for this field.
binds.listeners.routes.policies.ai.prompts.append.role
No description for this field.
binds.listeners.routes.policies.ai.prompts.append.content
No description for this field.
binds.listeners.routes.policies.ai.prompts.prepend
No description for this field.
binds.listeners.routes.policies.ai.prompts.prepend.role
No description for this field.
binds.listeners.routes.policies.ai.prompts.prepend.content
No description for this field.
binds.listeners.routes.policies.ai.modelAliases
No description for this field.
binds.listeners.routes.policies.ai.promptCaching
No description for this field.
binds.listeners.routes.policies.ai.promptCaching.cacheSystem
No description for this field.
Validation
Defaulttrue
binds.listeners.routes.policies.ai.promptCaching.cacheMessages
No description for this field.
Validation
Defaulttrue
binds.listeners.routes.policies.ai.promptCaching.cacheTools
No description for this field.
Validation
Defaultfalse
binds.listeners.routes.policies.ai.promptCaching.minTokens
No description for this field.
Validation
Default1024
Formatuint
Minimum0
binds.listeners.routes.policies.ai.promptCaching.cacheMessageOffset
No description for this field.
Validation
Default0
Formatuint
Minimum0
binds.listeners.routes.policies.ai.routes
No description for this field.
binds.listeners.routes.policies.backendTLS
Send TLS to the backend.
binds.listeners.routes.policies.backendTLS.cert
No description for this field.
binds.listeners.routes.policies.backendTLS.key
No description for this field.
binds.listeners.routes.policies.backendTLS.root
No description for this field.
binds.listeners.routes.policies.backendTLS.hostname
No description for this field.
binds.listeners.routes.policies.backendTLS.insecure
No description for this field.
Validation
Defaultfalse
binds.listeners.routes.policies.backendTLS.insecureHost
No description for this field.
Validation
Defaultfalse
binds.listeners.routes.policies.backendTLS.alpn
No description for this field.
Validation
Defaultnull
binds.listeners.routes.policies.backendTLS.subjectAltNames
No description for this field.
Validation
Defaultnull
binds.listeners.routes.policies.backendTLS.keyExchangeGroups
Key exchange groups allowed for negotiating TLS.
Validation
Defaultnull
binds.listeners.routes.policies.backendTunnel
Tunnel to the backend.
Validation
Defaultnull
binds.listeners.routes.policies.backendTunnel.proxy
Reference to the proxy address
binds.listeners.routes.policies.backendTunnel.proxy.service
No description for this field.
binds.listeners.routes.policies.backendTunnel.proxy.service.name
No description for this field.
binds.listeners.routes.policies.backendTunnel.proxy.service.name.namespace
No description for this field.
binds.listeners.routes.policies.backendTunnel.proxy.service.name.hostname
No description for this field.
binds.listeners.routes.policies.backendTunnel.proxy.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners.routes.policies.backendAuth
Authenticate to the backend.
Validation
Defaultnull
binds.listeners.routes.policies.backendAuth.passthrough
No description for this field.
binds.listeners.routes.policies.backendAuth.passthrough.location
No description for this field.
binds.listeners.routes.policies.backendAuth.passthrough.location.header
No description for this field.
binds.listeners.routes.policies.backendAuth.passthrough.location.header.name
No description for this field.
binds.listeners.routes.policies.backendAuth.passthrough.location.header.prefix
No description for this field.
binds.listeners.routes.policies.localRateLimit
Rate limit incoming requests. State is kept local.
binds.listeners.routes.policies.localRateLimit.conditional
conditional policy entries. An entry without a condition must be the final fallback.
binds.listeners.routes.policies.localRateLimit.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
binds.listeners.routes.policies.localRateLimit.conditional.maxTokens
No description for this field.
Validation
Default0
Formatuint64
Minimum0
binds.listeners.routes.policies.localRateLimit.conditional.tokensPerFill
No description for this field.
Validation
Default0
Formatuint64
Minimum0
binds.listeners.routes.policies.localRateLimit.conditional.fillInterval
No description for this field.
binds.listeners.routes.policies.localRateLimit.conditional.type
No description for this field.
Validation
Enumrequests, tokens
Defaultrequests
binds.listeners.routes.policies.remoteRateLimit
Rate limit incoming requests. State is managed by a remote server.
binds.listeners.routes.policies.remoteRateLimit.conditional
conditional policy entries. An entry without a condition must be the final fallback.
binds.listeners.routes.policies.remoteRateLimit.conditional.service
No description for this field.
binds.listeners.routes.policies.remoteRateLimit.conditional.service.name
No description for this field.
binds.listeners.routes.policies.remoteRateLimit.conditional.service.name.namespace
No description for this field.
binds.listeners.routes.policies.remoteRateLimit.conditional.service.name.hostname
No description for this field.
binds.listeners.routes.policies.remoteRateLimit.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners.routes.policies.jwtAuth
Authenticate incoming JWT requests.
binds.listeners.routes.policies.jwtAuth.mode
A valid token, issued by a configured issuer, must be present.
Validation
Conststrict
Defaultoptional
binds.listeners.routes.policies.jwtAuth.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
binds.listeners.routes.policies.jwtAuth.location.header
No description for this field.
binds.listeners.routes.policies.jwtAuth.location.header.name
No description for this field.
binds.listeners.routes.policies.jwtAuth.location.header.prefix
No description for this field.
binds.listeners.routes.policies.jwtAuth.providers
No description for this field.
binds.listeners.routes.policies.jwtAuth.providers.issuer
No description for this field.
binds.listeners.routes.policies.jwtAuth.providers.audiences
No description for this field.
binds.listeners.routes.policies.jwtAuth.providers.jwks
No description for this field.
binds.listeners.routes.policies.jwtAuth.providers.jwks.file
No description for this field.
binds.listeners.routes.policies.jwtAuth.providers.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].binds.listeners.routes.policies.jwtAuth.providers.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
binds.listeners.routes.policies.oidc
Authenticate incoming browser requests with OIDC authorization code flow.
binds.listeners.routes.policies.oidc.issuer
Issuer used for discovery and ID token validation.
binds.listeners.routes.policies.oidc.discovery
Optional discovery document override. If omitted, discovery uses
${issuer}/.well-known/openid-configuration.binds.listeners.routes.policies.oidc.discovery.file
No description for this field.
binds.listeners.routes.policies.oidc.authorizationEndpoint
Authorization endpoint used to start the browser login flow.
Validation
Defaultnull
binds.listeners.routes.policies.oidc.tokenEndpoint
Token endpoint used to exchange the authorization code.
Validation
Defaultnull
binds.listeners.routes.policies.oidc.tokenEndpointAuth
Token endpoint client authentication method for explicit provider configuration.
Discovery mode derives this from provider metadata. Explicit mode defaults to
clientSecretBasic when omitted.Validation
EnumclientSecretBasic, clientSecretPost
Defaultnull
binds.listeners.routes.policies.oidc.jwks
JWKS source used to validate returned ID tokens.
binds.listeners.routes.policies.oidc.jwks.file
No description for this field.
binds.listeners.routes.policies.oidc.clientId
OAuth2 client identifier used for authorization and token exchange.
binds.listeners.routes.policies.oidc.clientSecret
OAuth2 client secret used for token exchange.
binds.listeners.routes.policies.oidc.redirectURI
Absolute callback URI handled by the gateway.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
binds.listeners.routes.policies.oidc.scopes
Additional OAuth2 scopes to request.
openid is always included.Validation
Default[]
binds.listeners.routes.policies.basicAuth
Authenticate incoming requests using Basic Authentication with htpasswd.
binds.listeners.routes.policies.basicAuth.htpasswd
.htpasswd file contents/reference
binds.listeners.routes.policies.basicAuth.htpasswd.file
No description for this field.
binds.listeners.routes.policies.basicAuth.realm
Realm name for the WWW-Authenticate header
Validation
Defaultnull
binds.listeners.routes.policies.basicAuth.mode
Validation mode for basic authentication
Validation
Conststrict
Defaultoptional
binds.listeners.routes.policies.basicAuth.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Basic "}}
binds.listeners.routes.policies.basicAuth.authorizationLocation.header
No description for this field.
binds.listeners.routes.policies.basicAuth.authorizationLocation.header.name
No description for this field.
binds.listeners.routes.policies.basicAuth.authorizationLocation.header.prefix
No description for this field.
binds.listeners.routes.policies.apiKey
Authenticate incoming requests using API Keys
binds.listeners.routes.policies.apiKey.keys
List of API keys
binds.listeners.routes.policies.apiKey.keys.key
No description for this field.
binds.listeners.routes.policies.apiKey.keys.metadata
No description for this field.
binds.listeners.routes.policies.apiKey.mode
Validation mode for API keys
Validation
Conststrict
Defaultoptional
binds.listeners.routes.policies.apiKey.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
binds.listeners.routes.policies.apiKey.location.header
No description for this field.
binds.listeners.routes.policies.apiKey.location.header.name
No description for this field.
binds.listeners.routes.policies.apiKey.location.header.prefix
No description for this field.
binds.listeners.routes.policies.extAuthz
Authenticate incoming requests by calling an external authorization server.
binds.listeners.routes.policies.extAuthz.conditional
conditional policy entries. An entry without a condition must be the final fallback.
binds.listeners.routes.policies.extAuthz.conditional.service
No description for this field.
binds.listeners.routes.policies.extAuthz.conditional.service.name
No description for this field.
binds.listeners.routes.policies.extAuthz.conditional.service.name.namespace
No description for this field.
binds.listeners.routes.policies.extAuthz.conditional.service.name.hostname
No description for this field.
binds.listeners.routes.policies.extAuthz.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners.routes.policies.extProc
Extend agentgateway with an external processor
binds.listeners.routes.policies.extProc.conditional
conditional policy entries. An entry without a condition must be the final fallback.
binds.listeners.routes.policies.extProc.conditional.service
No description for this field.
binds.listeners.routes.policies.extProc.conditional.service.name
No description for this field.
binds.listeners.routes.policies.extProc.conditional.service.name.namespace
No description for this field.
binds.listeners.routes.policies.extProc.conditional.service.name.hostname
No description for this field.
binds.listeners.routes.policies.extProc.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners.routes.policies.transformations
Modify requests and responses
binds.listeners.routes.policies.transformations.conditional
conditional policy entries. An entry without a condition must be the final fallback.
binds.listeners.routes.policies.transformations.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
binds.listeners.routes.policies.transformations.conditional.request
No description for this field.
binds.listeners.routes.policies.transformations.conditional.request.add
No description for this field.
Validation
Default{}
binds.listeners.routes.policies.transformations.conditional.request.set
No description for this field.
Validation
Default{}
binds.listeners.routes.policies.transformations.conditional.request.remove
No description for this field.
Validation
Default[]
binds.listeners.routes.policies.transformations.conditional.request.body
No description for this field.
Validation
Defaultnull
binds.listeners.routes.policies.transformations.conditional.request.metadata
No description for this field.
Validation
Default{}
binds.listeners.routes.policies.transformations.conditional.response
No description for this field.
binds.listeners.routes.policies.transformations.conditional.response.add
No description for this field.
Validation
Default{}
binds.listeners.routes.policies.transformations.conditional.response.set
No description for this field.
Validation
Default{}
binds.listeners.routes.policies.transformations.conditional.response.remove
No description for this field.
Validation
Default[]
binds.listeners.routes.policies.transformations.conditional.response.body
No description for this field.
Validation
Defaultnull
binds.listeners.routes.policies.transformations.conditional.response.metadata
No description for this field.
Validation
Default{}
binds.listeners.routes.policies.csrf
Handle CSRF protection by validating request origins against configured allowed origins.
Validation
Defaultnull
binds.listeners.routes.policies.csrf.additionalOrigins
No description for this field.
Validation
Default[]
Unique itemstrue
binds.listeners.routes.policies.timeout
Timeout requests that exceed the configured duration.
Validation
Defaultnull
binds.listeners.routes.policies.timeout.requestTimeout
No description for this field.
binds.listeners.routes.policies.timeout.backendRequestTimeout
No description for this field.
binds.listeners.routes.policies.retry
Retry matching requests.
Validation
Defaultnull
binds.listeners.routes.policies.retry.attempts
No description for this field.
Validation
Default1
Formatuint8
Minimum1
Maximum255
binds.listeners.routes.policies.retry.backoff
No description for this field.
binds.listeners.routes.policies.retry.codes
No description for this field.
binds.listeners.routes.backends
No description for this field.
binds.listeners.routes.backends.service
No description for this field.
binds.listeners.routes.backends.service.name
No description for this field.
binds.listeners.routes.backends.service.name.namespace
No description for this field.
binds.listeners.routes.backends.service.name.hostname
No description for this field.
binds.listeners.routes.backends.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners.tcpRoutes
No description for this field.
binds.listeners.tcpRoutes.name
No description for this field.
Validation
Defaultnull
binds.listeners.tcpRoutes.namespace
No description for this field.
Validation
Defaultnull
binds.listeners.tcpRoutes.ruleName
No description for this field.
Validation
Defaultnull
binds.listeners.tcpRoutes.hostnames
Can be a wildcard
binds.listeners.tcpRoutes.policies
No description for this field.
binds.listeners.tcpRoutes.policies.backendTLS
No description for this field.
binds.listeners.tcpRoutes.policies.backendTLS.cert
No description for this field.
binds.listeners.tcpRoutes.policies.backendTLS.key
No description for this field.
binds.listeners.tcpRoutes.policies.backendTLS.root
No description for this field.
binds.listeners.tcpRoutes.policies.backendTLS.hostname
No description for this field.
binds.listeners.tcpRoutes.policies.backendTLS.insecure
No description for this field.
Validation
Defaultfalse
binds.listeners.tcpRoutes.policies.backendTLS.insecureHost
No description for this field.
Validation
Defaultfalse
binds.listeners.tcpRoutes.policies.backendTLS.alpn
No description for this field.
Validation
Defaultnull
binds.listeners.tcpRoutes.policies.backendTLS.subjectAltNames
No description for this field.
Validation
Defaultnull
binds.listeners.tcpRoutes.policies.backendTLS.keyExchangeGroups
Key exchange groups allowed for negotiating TLS.
Validation
Defaultnull
binds.listeners.tcpRoutes.backends
No description for this field.
binds.listeners.tcpRoutes.backends.service
No description for this field.
binds.listeners.tcpRoutes.backends.service.name
No description for this field.
binds.listeners.tcpRoutes.backends.service.name.namespace
No description for this field.
binds.listeners.tcpRoutes.backends.service.name.hostname
No description for this field.
binds.listeners.tcpRoutes.backends.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners.policies
No description for this field.
binds.listeners.policies.oidc
Authenticate incoming browser requests with OIDC authorization code flow.
binds.listeners.policies.oidc.issuer
Issuer used for discovery and ID token validation.
binds.listeners.policies.oidc.discovery
Optional discovery document override. If omitted, discovery uses
${issuer}/.well-known/openid-configuration.binds.listeners.policies.oidc.discovery.file
No description for this field.
binds.listeners.policies.oidc.authorizationEndpoint
Authorization endpoint used to start the browser login flow.
Validation
Defaultnull
binds.listeners.policies.oidc.tokenEndpoint
Token endpoint used to exchange the authorization code.
Validation
Defaultnull
binds.listeners.policies.oidc.tokenEndpointAuth
Token endpoint client authentication method for explicit provider configuration.
Discovery mode derives this from provider metadata. Explicit mode defaults to
clientSecretBasic when omitted.Validation
EnumclientSecretBasic, clientSecretPost
Defaultnull
binds.listeners.policies.oidc.jwks
JWKS source used to validate returned ID tokens.
binds.listeners.policies.oidc.jwks.file
No description for this field.
binds.listeners.policies.oidc.clientId
OAuth2 client identifier used for authorization and token exchange.
binds.listeners.policies.oidc.clientSecret
OAuth2 client secret used for token exchange.
binds.listeners.policies.oidc.redirectURI
Absolute callback URI handled by the gateway.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
binds.listeners.policies.oidc.scopes
Additional OAuth2 scopes to request.
openid is always included.Validation
Default[]
binds.listeners.policies.jwtAuth
Authenticate incoming JWT requests.
binds.listeners.policies.jwtAuth.mode
A valid token, issued by a configured issuer, must be present.
Validation
Conststrict
Defaultoptional
binds.listeners.policies.jwtAuth.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
binds.listeners.policies.jwtAuth.location.header
No description for this field.
binds.listeners.policies.jwtAuth.location.header.name
No description for this field.
binds.listeners.policies.jwtAuth.location.header.prefix
No description for this field.
binds.listeners.policies.jwtAuth.providers
No description for this field.
binds.listeners.policies.jwtAuth.providers.issuer
No description for this field.
binds.listeners.policies.jwtAuth.providers.audiences
No description for this field.
binds.listeners.policies.jwtAuth.providers.jwks
No description for this field.
binds.listeners.policies.jwtAuth.providers.jwks.file
No description for this field.
binds.listeners.policies.jwtAuth.providers.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].binds.listeners.policies.jwtAuth.providers.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
binds.listeners.policies.extAuthz
Authenticate incoming requests by calling an external authorization server.
binds.listeners.policies.extAuthz.conditional
conditional policy entries. An entry without a condition must be the final fallback.
binds.listeners.policies.extAuthz.conditional.service
No description for this field.
binds.listeners.policies.extAuthz.conditional.service.name
No description for this field.
binds.listeners.policies.extAuthz.conditional.service.name.namespace
No description for this field.
binds.listeners.policies.extAuthz.conditional.service.name.hostname
No description for this field.
binds.listeners.policies.extAuthz.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners.policies.extProc
Extend agentgateway with an external processor
binds.listeners.policies.extProc.conditional
conditional policy entries. An entry without a condition must be the final fallback.
binds.listeners.policies.extProc.conditional.service
No description for this field.
binds.listeners.policies.extProc.conditional.service.name
No description for this field.
binds.listeners.policies.extProc.conditional.service.name.namespace
No description for this field.
binds.listeners.policies.extProc.conditional.service.name.hostname
No description for this field.
binds.listeners.policies.extProc.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
binds.listeners.policies.transformations
Modify requests and responses
binds.listeners.policies.transformations.conditional
conditional policy entries. An entry without a condition must be the final fallback.
binds.listeners.policies.transformations.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
binds.listeners.policies.transformations.conditional.request
No description for this field.
binds.listeners.policies.transformations.conditional.request.add
No description for this field.
Validation
Default{}
binds.listeners.policies.transformations.conditional.request.set
No description for this field.
Validation
Default{}
binds.listeners.policies.transformations.conditional.request.remove
No description for this field.
Validation
Default[]
binds.listeners.policies.transformations.conditional.request.body
No description for this field.
Validation
Defaultnull
binds.listeners.policies.transformations.conditional.request.metadata
No description for this field.
Validation
Default{}
binds.listeners.policies.transformations.conditional.response
No description for this field.
binds.listeners.policies.transformations.conditional.response.add
No description for this field.
Validation
Default{}
binds.listeners.policies.transformations.conditional.response.set
No description for this field.
Validation
Default{}
binds.listeners.policies.transformations.conditional.response.remove
No description for this field.
Validation
Default[]
binds.listeners.policies.transformations.conditional.response.body
No description for this field.
Validation
Defaultnull
binds.listeners.policies.transformations.conditional.response.metadata
No description for this field.
Validation
Default{}
binds.listeners.policies.basicAuth
Authenticate incoming requests using Basic Authentication with htpasswd.
binds.listeners.policies.basicAuth.htpasswd
.htpasswd file contents/reference
binds.listeners.policies.basicAuth.htpasswd.file
No description for this field.
binds.listeners.policies.basicAuth.realm
Realm name for the WWW-Authenticate header
Validation
Defaultnull
binds.listeners.policies.basicAuth.mode
Validation mode for basic authentication
Validation
Conststrict
Defaultoptional
binds.listeners.policies.basicAuth.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Basic "}}
binds.listeners.policies.basicAuth.authorizationLocation.header
No description for this field.
binds.listeners.policies.basicAuth.authorizationLocation.header.name
No description for this field.
binds.listeners.policies.basicAuth.authorizationLocation.header.prefix
No description for this field.
binds.listeners.policies.apiKey
Authenticate incoming requests using API Keys
binds.listeners.policies.apiKey.keys
List of API keys
binds.listeners.policies.apiKey.keys.key
No description for this field.
binds.listeners.policies.apiKey.keys.metadata
No description for this field.
binds.listeners.policies.apiKey.mode
Validation mode for API keys
Validation
Conststrict
Defaultoptional
binds.listeners.policies.apiKey.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
binds.listeners.policies.apiKey.location.header
No description for this field.
binds.listeners.policies.apiKey.location.header.name
No description for this field.
binds.listeners.policies.apiKey.location.header.prefix
No description for this field.
binds.tunnelProtocol
No description for this field.
Validation
Enumdirect, hboneWaypoint, hboneGateway, proxy
Defaultdirect
llm
No description for this field.
llm.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
llm.models
models defines the set of models that can be served by this gateway. The model name refers to the
model in the users request that is matched; the model sent to the actual LLM can be overridden
on a per-model basis.
model in the users request that is matched; the model sent to the actual LLM can be overridden
on a per-model basis.
llm.models.name
name is the name of the model we are matching from a users request. If params.model is set, that
will be used in the request to the LLM provider. If not, the incoming model is used.
will be used in the request to the LLM provider. If not, the incoming model is used.
llm.models.params
params customizes parameters for the outgoing request
llm.models.params.model
The model to send to the provider.
If unset, the same model will be used from the request.
If unset, the same model will be used from the request.
Validation
Defaultnull
llm.models.params.apiKey
An API key to attach to the request.
If unset this will be automatically detected from the environment.
If unset this will be automatically detected from the environment.
llm.models.params.apiKey.file
No description for this field.
llm.models.params.awsRegion
No description for this field.
llm.models.params.vertexRegion
No description for this field.
llm.models.params.vertexProject
No description for this field.
llm.models.params.azureResourceName
For Azure: the resource name of the deployment
llm.models.params.azureResourceType
For Azure: the type of Azure endpoint (openAI or foundry)
Validation
ConstopenAI
llm.models.params.azureApiVersion
For Azure: the API version to use
llm.models.params.azureProjectName
For Azure: the Foundry project name (required for foundry resource type)
llm.models.params.baseUrl
Base URL for the upstream provider. Expands to hostOverride, pathPrefix, and tls for https URLs.
Validation
Defaultnull
llm.models.params.hostOverride
Override the upstream host for this provider.
Validation
Defaultnull
llm.models.params.pathOverride
Override the upstream path for this provider.
Validation
Defaultnull
llm.models.params.pathPrefix
Override the default base path prefix for this provider.
Validation
Defaultnull
llm.models.params.tokenize
Whether to tokenize the request before forwarding it upstream.
Validation
Defaultfalse
llm.models.provider
provider of the LLM we are connecting too
llm.models.provider.custom
No description for this field.
llm.models.provider.custom.model
No description for this field.
llm.models.provider.custom.formats
No description for this field.
llm.models.provider.custom.formats.type
No description for this field.
Validation
Enumcompletions, messages, responses, embeddings, anthropicTokenCount, realtime
llm.models.provider.custom.formats.path
No description for this field.
llm.models.defaults
defaults allows setting default values for the request. If these are not present in the request body, they will be set.
To override even when set, use
To override even when set, use
overrides.llm.models.overrides
overrides allows setting values for the request, overriding any existing values
llm.models.transformation
transformation allows setting values from CEL expressions for the request, overriding any existing values.
llm.models.requestHeaders
requestHeaders modifies headers in requests to the LLM provider.
Validation
Defaultnull
llm.models.requestHeaders.add
No description for this field.
llm.models.requestHeaders.set
No description for this field.
llm.models.requestHeaders.remove
No description for this field.
llm.models.responseHeaders
responseHeaders modifies headers in responses from the LLM provider.
Validation
Defaultnull
llm.models.responseHeaders.add
No description for this field.
llm.models.responseHeaders.set
No description for this field.
llm.models.responseHeaders.remove
No description for this field.
llm.models.tls
tls configures TLS when connecting to the LLM provider.
llm.models.tls.cert
No description for this field.
llm.models.tls.key
No description for this field.
llm.models.tls.root
No description for this field.
llm.models.tls.hostname
No description for this field.
llm.models.tls.insecure
No description for this field.
Validation
Defaultfalse
llm.models.tls.insecureHost
No description for this field.
Validation
Defaultfalse
llm.models.tls.alpn
No description for this field.
Validation
Defaultnull
llm.models.tls.subjectAltNames
No description for this field.
Validation
Defaultnull
llm.models.tls.keyExchangeGroups
Key exchange groups allowed for negotiating TLS.
Validation
Defaultnull
llm.models.auth
auth configures authentication when connecting to the LLM provider.
Validation
Defaultnull
llm.models.auth.passthrough
No description for this field.
llm.models.auth.passthrough.location
No description for this field.
llm.models.auth.passthrough.location.header
No description for this field.
llm.models.auth.passthrough.location.header.name
No description for this field.
llm.models.auth.passthrough.location.header.prefix
No description for this field.
llm.models.health
health configures outlier detection for this model backend.
llm.models.health.unhealthyExpression
CEL expression;
When unset, any 5xx or connection failure is treated as unhealthy.
true means unhealthy (evict). E.g. response.code >= 500.When unset, any 5xx or connection failure is treated as unhealthy.
llm.models.health.eviction
Local/config eviction sub-policy with duration as string; mirrors
Eviction.llm.models.health.eviction.duration
No description for this field.
llm.models.health.eviction.restoreHealth
No description for this field.
Validation
Formatdouble
llm.models.health.eviction.consecutiveFailures
No description for this field.
Validation
Formatint32
llm.models.health.eviction.healthThreshold
No description for this field.
Validation
Formatdouble
llm.models.backendTunnel
backendTunnel configures tunneling when connecting to the LLM provider.
Validation
Defaultnull
llm.models.backendTunnel.proxy
Reference to the proxy address
llm.models.backendTunnel.proxy.service
No description for this field.
llm.models.backendTunnel.proxy.service.name
No description for this field.
llm.models.backendTunnel.proxy.service.name.namespace
No description for this field.
llm.models.backendTunnel.proxy.service.name.hostname
No description for this field.
llm.models.backendTunnel.proxy.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
llm.models.guardrails
guardrails to apply to the request or response
llm.models.guardrails.request
No description for this field.
llm.models.guardrails.request.regex
No description for this field.
llm.models.guardrails.request.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
llm.models.guardrails.request.regex.rules
No description for this field.
llm.models.guardrails.request.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
llm.models.guardrails.response
No description for this field.
llm.models.guardrails.response.regex
No description for this field.
llm.models.guardrails.response.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
llm.models.guardrails.response.regex.rules
No description for this field.
llm.models.guardrails.response.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
llm.models.matches
matches specifies the conditions under which this model should be used in addition to matching the model name.
llm.models.matches.headers
No description for this field.
llm.models.matches.headers.name
No description for this field.
llm.models.matches.headers.value
No description for this field.
llm.models.matches.headers.value.exact
No description for this field.
llm.policies
policies defines policies for handling incoming requests, before a model is selected
llm.policies.oidc
Authenticate incoming browser requests with OIDC authorization code flow.
llm.policies.oidc.issuer
Issuer used for discovery and ID token validation.
llm.policies.oidc.discovery
Optional discovery document override. If omitted, discovery uses
${issuer}/.well-known/openid-configuration.llm.policies.oidc.discovery.file
No description for this field.
llm.policies.oidc.authorizationEndpoint
Authorization endpoint used to start the browser login flow.
Validation
Defaultnull
llm.policies.oidc.tokenEndpoint
Token endpoint used to exchange the authorization code.
Validation
Defaultnull
llm.policies.oidc.tokenEndpointAuth
Token endpoint client authentication method for explicit provider configuration.
Discovery mode derives this from provider metadata. Explicit mode defaults to
clientSecretBasic when omitted.Validation
EnumclientSecretBasic, clientSecretPost
Defaultnull
llm.policies.oidc.jwks
JWKS source used to validate returned ID tokens.
llm.policies.oidc.jwks.file
No description for this field.
llm.policies.oidc.clientId
OAuth2 client identifier used for authorization and token exchange.
llm.policies.oidc.clientSecret
OAuth2 client secret used for token exchange.
llm.policies.oidc.redirectURI
Absolute callback URI handled by the gateway.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
llm.policies.oidc.scopes
Additional OAuth2 scopes to request.
openid is always included.Validation
Default[]
llm.policies.jwtAuth
Authenticate incoming JWT requests.
llm.policies.jwtAuth.mode
A valid token, issued by a configured issuer, must be present.
Validation
Conststrict
Defaultoptional
llm.policies.jwtAuth.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
llm.policies.jwtAuth.location.header
No description for this field.
llm.policies.jwtAuth.location.header.name
No description for this field.
llm.policies.jwtAuth.location.header.prefix
No description for this field.
llm.policies.jwtAuth.providers
No description for this field.
llm.policies.jwtAuth.providers.issuer
No description for this field.
llm.policies.jwtAuth.providers.audiences
No description for this field.
llm.policies.jwtAuth.providers.jwks
No description for this field.
llm.policies.jwtAuth.providers.jwks.file
No description for this field.
llm.policies.jwtAuth.providers.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].llm.policies.jwtAuth.providers.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
llm.policies.extAuthz
Authenticate incoming requests by calling an external authorization server.
llm.policies.extAuthz.conditional
conditional policy entries. An entry without a condition must be the final fallback.
llm.policies.extAuthz.conditional.service
No description for this field.
llm.policies.extAuthz.conditional.service.name
No description for this field.
llm.policies.extAuthz.conditional.service.name.namespace
No description for this field.
llm.policies.extAuthz.conditional.service.name.hostname
No description for this field.
llm.policies.extAuthz.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
llm.policies.extProc
Extend agentgateway with an external processor
llm.policies.extProc.conditional
conditional policy entries. An entry without a condition must be the final fallback.
llm.policies.extProc.conditional.service
No description for this field.
llm.policies.extProc.conditional.service.name
No description for this field.
llm.policies.extProc.conditional.service.name.namespace
No description for this field.
llm.policies.extProc.conditional.service.name.hostname
No description for this field.
llm.policies.extProc.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
llm.policies.transformations
Modify requests and responses
llm.policies.transformations.conditional
conditional policy entries. An entry without a condition must be the final fallback.
llm.policies.transformations.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
llm.policies.transformations.conditional.request
No description for this field.
llm.policies.transformations.conditional.request.add
No description for this field.
Validation
Default{}
llm.policies.transformations.conditional.request.set
No description for this field.
Validation
Default{}
llm.policies.transformations.conditional.request.remove
No description for this field.
Validation
Default[]
llm.policies.transformations.conditional.request.body
No description for this field.
Validation
Defaultnull
llm.policies.transformations.conditional.request.metadata
No description for this field.
Validation
Default{}
llm.policies.transformations.conditional.response
No description for this field.
llm.policies.transformations.conditional.response.add
No description for this field.
Validation
Default{}
llm.policies.transformations.conditional.response.set
No description for this field.
Validation
Default{}
llm.policies.transformations.conditional.response.remove
No description for this field.
Validation
Default[]
llm.policies.transformations.conditional.response.body
No description for this field.
Validation
Defaultnull
llm.policies.transformations.conditional.response.metadata
No description for this field.
Validation
Default{}
llm.policies.basicAuth
Authenticate incoming requests using Basic Authentication with htpasswd.
llm.policies.basicAuth.htpasswd
.htpasswd file contents/reference
llm.policies.basicAuth.htpasswd.file
No description for this field.
llm.policies.basicAuth.realm
Realm name for the WWW-Authenticate header
Validation
Defaultnull
llm.policies.basicAuth.mode
Validation mode for basic authentication
Validation
Conststrict
Defaultoptional
llm.policies.basicAuth.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Basic "}}
llm.policies.basicAuth.authorizationLocation.header
No description for this field.
llm.policies.basicAuth.authorizationLocation.header.name
No description for this field.
llm.policies.basicAuth.authorizationLocation.header.prefix
No description for this field.
llm.policies.apiKey
Authenticate incoming requests using API Keys
llm.policies.apiKey.keys
List of API keys
llm.policies.apiKey.keys.key
No description for this field.
llm.policies.apiKey.keys.metadata
No description for this field.
llm.policies.apiKey.mode
Validation mode for API keys
Validation
Conststrict
Defaultoptional
llm.policies.apiKey.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
llm.policies.apiKey.location.header
No description for this field.
llm.policies.apiKey.location.header.name
No description for this field.
llm.policies.apiKey.location.header.prefix
No description for this field.
llm.policies.authorization
Authorization policies for HTTP access.
Validation
Defaultnull
llm.policies.authorization.rules
No description for this field.
llm.policies.localRateLimit
Rate limit incoming requests. State is kept local.
Validation
Default[]
llm.policies.localRateLimit.maxTokens
No description for this field.
Validation
Default0
Formatuint64
Minimum0
llm.policies.localRateLimit.tokensPerFill
No description for this field.
Validation
Default0
Formatuint64
Minimum0
llm.policies.localRateLimit.fillInterval
No description for this field.
llm.policies.localRateLimit.type
No description for this field.
Validation
Enumrequests, tokens
Defaultrequests
llm.policies.remoteRateLimit
Rate limit incoming requests. State is managed by a remote server.
Validation
Defaultnull
llm.policies.remoteRateLimit.service
No description for this field.
llm.policies.remoteRateLimit.service.name
No description for this field.
llm.policies.remoteRateLimit.service.name.namespace
No description for this field.
llm.policies.remoteRateLimit.service.name.hostname
No description for this field.
llm.policies.remoteRateLimit.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
mcp
No description for this field.
mcp.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
mcp.targets
No description for this field.
mcp.targets.sse
No description for this field.
mcp.targets.sse.host
No description for this field.
mcp.targets.sse.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
mcp.targets.sse.path
No description for this field.
mcp.targets.sse.backend
No description for this field.
mcp.statefulMode
No description for this field.
Validation
Enumstateless, stateful
mcp.prefixMode
No description for this field.
Validation
Enumalways, conditional
mcp.failureMode
Behavior when one or more MCP targets fail to initialize or fail during fanout.
Defaults to
Defaults to
failClosed.Validation
ConstfailClosed
mcp.policies
No description for this field.
mcp.policies.requestHeaderModifier
Headers to be modified in the request.
Validation
Defaultnull
mcp.policies.requestHeaderModifier.add
No description for this field.
mcp.policies.requestHeaderModifier.set
No description for this field.
mcp.policies.requestHeaderModifier.remove
No description for this field.
mcp.policies.responseHeaderModifier
Headers to be modified in the response.
Validation
Defaultnull
mcp.policies.responseHeaderModifier.add
No description for this field.
mcp.policies.responseHeaderModifier.set
No description for this field.
mcp.policies.responseHeaderModifier.remove
No description for this field.
mcp.policies.requestRedirect
Directly respond to the request with a redirect.
Validation
Defaultnull
mcp.policies.requestRedirect.scheme
No description for this field.
mcp.policies.requestRedirect.authority
No description for this field.
mcp.policies.requestRedirect.authority.full
No description for this field.
mcp.policies.requestRedirect.path
No description for this field.
mcp.policies.requestRedirect.path.full
No description for this field.
mcp.policies.requestRedirect.status
No description for this field.
Validation
Formatuint16
Minimum1
Maximum65535
mcp.policies.urlRewrite
Modify the URL path or authority.
Validation
Defaultnull
mcp.policies.urlRewrite.authority
No description for this field.
mcp.policies.urlRewrite.authority.full
No description for this field.
mcp.policies.urlRewrite.path
No description for this field.
mcp.policies.urlRewrite.path.full
No description for this field.
mcp.policies.requestMirror
Mirror incoming requests to another destination.
Validation
Defaultnull
mcp.policies.requestMirror.backend
Service reference. Service must be defined in the top level services list.
mcp.policies.requestMirror.backend.service
No description for this field.
mcp.policies.requestMirror.backend.service.name
No description for this field.
mcp.policies.requestMirror.backend.service.name.namespace
No description for this field.
mcp.policies.requestMirror.backend.service.name.hostname
No description for this field.
mcp.policies.requestMirror.backend.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
mcp.policies.requestMirror.percentage
No description for this field.
Validation
Formatdouble
mcp.policies.directResponse
Directly respond to the request with a static response.
mcp.policies.directResponse.conditional
conditional policy entries. An entry without a condition must be the final fallback.
mcp.policies.directResponse.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
mcp.policies.directResponse.conditional.body
No description for this field.
mcp.policies.directResponse.conditional.bodyExpression
No description for this field.
mcp.policies.directResponse.conditional.headers
No description for this field.
mcp.policies.directResponse.conditional.status
No description for this field.
Validation
Formatuint16
Minimum1
Maximum65535
mcp.policies.cors
Handle CORS preflight requests and append configured CORS headers to applicable requests.
Validation
Defaultnull
mcp.policies.cors.allowCredentials
No description for this field.
Validation
Defaultfalse
mcp.policies.cors.allowHeaders
No description for this field.
Validation
Default[]
mcp.policies.cors.allowMethods
No description for this field.
Validation
Default[]
mcp.policies.cors.allowOrigins
No description for this field.
Validation
Default[]
mcp.policies.cors.exposeHeaders
No description for this field.
Validation
Default[]
mcp.policies.cors.maxAge
No description for this field.
Validation
Defaultnull
mcp.policies.mcpAuthorization
Authorization policies for MCP access.
Validation
Defaultnull
mcp.policies.mcpAuthorization.rules
No description for this field.
mcp.policies.authorization
Authorization policies for HTTP access.
Validation
Defaultnull
mcp.policies.authorization.rules
No description for this field.
mcp.policies.mcpAuthentication
Authentication for MCP clients.
mcp.policies.mcpAuthentication.issuer
No description for this field.
mcp.policies.mcpAuthentication.audiences
No description for this field.
mcp.policies.mcpAuthentication.provider
No description for this field.
mcp.policies.mcpAuthentication.provider.auth0
No description for this field.
mcp.policies.mcpAuthentication.resourceMetadata
No description for this field.
mcp.policies.mcpAuthentication.jwks
No description for this field.
mcp.policies.mcpAuthentication.jwks.file
No description for this field.
mcp.policies.mcpAuthentication.mode
A valid token, issued by a configured issuer, must be present.
This is the default option.
This is the default option.
Validation
Conststrict
Defaultstrict
mcp.policies.mcpAuthentication.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
mcp.policies.mcpAuthentication.authorizationLocation.header
No description for this field.
mcp.policies.mcpAuthentication.authorizationLocation.header.name
No description for this field.
mcp.policies.mcpAuthentication.authorizationLocation.header.prefix
No description for this field.
mcp.policies.mcpAuthentication.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].mcp.policies.mcpAuthentication.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
mcp.policies.mcpAuthentication.clientId
No description for this field.
mcp.policies.a2a
Mark this traffic as A2A to enable A2A processing and telemetry.
Validation
Defaultnull
mcp.policies.ai
Mark this as LLM traffic to enable LLM processing.
Validation
Defaultnull
mcp.policies.ai.promptGuard
No description for this field.
mcp.policies.ai.promptGuard.request
No description for this field.
mcp.policies.ai.promptGuard.request.regex
No description for this field.
mcp.policies.ai.promptGuard.request.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
mcp.policies.ai.promptGuard.request.regex.rules
No description for this field.
mcp.policies.ai.promptGuard.request.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
mcp.policies.ai.promptGuard.response
No description for this field.
mcp.policies.ai.promptGuard.response.regex
No description for this field.
mcp.policies.ai.promptGuard.response.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
mcp.policies.ai.promptGuard.response.regex.rules
No description for this field.
mcp.policies.ai.promptGuard.response.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
mcp.policies.ai.defaults
No description for this field.
mcp.policies.ai.overrides
No description for this field.
mcp.policies.ai.transformations
No description for this field.
mcp.policies.ai.prompts
No description for this field.
Validation
Min properties1
mcp.policies.ai.prompts.append
No description for this field.
mcp.policies.ai.prompts.append.role
No description for this field.
mcp.policies.ai.prompts.append.content
No description for this field.
mcp.policies.ai.prompts.prepend
No description for this field.
mcp.policies.ai.prompts.prepend.role
No description for this field.
mcp.policies.ai.prompts.prepend.content
No description for this field.
mcp.policies.ai.modelAliases
No description for this field.
mcp.policies.ai.promptCaching
No description for this field.
mcp.policies.ai.promptCaching.cacheSystem
No description for this field.
Validation
Defaulttrue
mcp.policies.ai.promptCaching.cacheMessages
No description for this field.
Validation
Defaulttrue
mcp.policies.ai.promptCaching.cacheTools
No description for this field.
Validation
Defaultfalse
mcp.policies.ai.promptCaching.minTokens
No description for this field.
Validation
Default1024
Formatuint
Minimum0
mcp.policies.ai.promptCaching.cacheMessageOffset
No description for this field.
Validation
Default0
Formatuint
Minimum0
mcp.policies.ai.routes
No description for this field.
mcp.policies.backendTLS
Send TLS to the backend.
mcp.policies.backendTLS.cert
No description for this field.
mcp.policies.backendTLS.key
No description for this field.
mcp.policies.backendTLS.root
No description for this field.
mcp.policies.backendTLS.hostname
No description for this field.
mcp.policies.backendTLS.insecure
No description for this field.
Validation
Defaultfalse
mcp.policies.backendTLS.insecureHost
No description for this field.
Validation
Defaultfalse
mcp.policies.backendTLS.alpn
No description for this field.
Validation
Defaultnull
mcp.policies.backendTLS.subjectAltNames
No description for this field.
Validation
Defaultnull
mcp.policies.backendTLS.keyExchangeGroups
Key exchange groups allowed for negotiating TLS.
Validation
Defaultnull
mcp.policies.backendTunnel
Tunnel to the backend.
Validation
Defaultnull
mcp.policies.backendTunnel.proxy
Reference to the proxy address
mcp.policies.backendTunnel.proxy.service
No description for this field.
mcp.policies.backendTunnel.proxy.service.name
No description for this field.
mcp.policies.backendTunnel.proxy.service.name.namespace
No description for this field.
mcp.policies.backendTunnel.proxy.service.name.hostname
No description for this field.
mcp.policies.backendTunnel.proxy.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
mcp.policies.backendAuth
Authenticate to the backend.
Validation
Defaultnull
mcp.policies.backendAuth.passthrough
No description for this field.
mcp.policies.backendAuth.passthrough.location
No description for this field.
mcp.policies.backendAuth.passthrough.location.header
No description for this field.
mcp.policies.backendAuth.passthrough.location.header.name
No description for this field.
mcp.policies.backendAuth.passthrough.location.header.prefix
No description for this field.
mcp.policies.localRateLimit
Rate limit incoming requests. State is kept local.
mcp.policies.localRateLimit.conditional
conditional policy entries. An entry without a condition must be the final fallback.
mcp.policies.localRateLimit.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
mcp.policies.localRateLimit.conditional.maxTokens
No description for this field.
Validation
Default0
Formatuint64
Minimum0
mcp.policies.localRateLimit.conditional.tokensPerFill
No description for this field.
Validation
Default0
Formatuint64
Minimum0
mcp.policies.localRateLimit.conditional.fillInterval
No description for this field.
mcp.policies.localRateLimit.conditional.type
No description for this field.
Validation
Enumrequests, tokens
Defaultrequests
mcp.policies.remoteRateLimit
Rate limit incoming requests. State is managed by a remote server.
mcp.policies.remoteRateLimit.conditional
conditional policy entries. An entry without a condition must be the final fallback.
mcp.policies.remoteRateLimit.conditional.service
No description for this field.
mcp.policies.remoteRateLimit.conditional.service.name
No description for this field.
mcp.policies.remoteRateLimit.conditional.service.name.namespace
No description for this field.
mcp.policies.remoteRateLimit.conditional.service.name.hostname
No description for this field.
mcp.policies.remoteRateLimit.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
mcp.policies.jwtAuth
Authenticate incoming JWT requests.
mcp.policies.jwtAuth.mode
A valid token, issued by a configured issuer, must be present.
Validation
Conststrict
Defaultoptional
mcp.policies.jwtAuth.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
mcp.policies.jwtAuth.location.header
No description for this field.
mcp.policies.jwtAuth.location.header.name
No description for this field.
mcp.policies.jwtAuth.location.header.prefix
No description for this field.
mcp.policies.jwtAuth.providers
No description for this field.
mcp.policies.jwtAuth.providers.issuer
No description for this field.
mcp.policies.jwtAuth.providers.audiences
No description for this field.
mcp.policies.jwtAuth.providers.jwks
No description for this field.
mcp.policies.jwtAuth.providers.jwks.file
No description for this field.
mcp.policies.jwtAuth.providers.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].mcp.policies.jwtAuth.providers.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
mcp.policies.oidc
Authenticate incoming browser requests with OIDC authorization code flow.
mcp.policies.oidc.issuer
Issuer used for discovery and ID token validation.
mcp.policies.oidc.discovery
Optional discovery document override. If omitted, discovery uses
${issuer}/.well-known/openid-configuration.mcp.policies.oidc.discovery.file
No description for this field.
mcp.policies.oidc.authorizationEndpoint
Authorization endpoint used to start the browser login flow.
Validation
Defaultnull
mcp.policies.oidc.tokenEndpoint
Token endpoint used to exchange the authorization code.
Validation
Defaultnull
mcp.policies.oidc.tokenEndpointAuth
Token endpoint client authentication method for explicit provider configuration.
Discovery mode derives this from provider metadata. Explicit mode defaults to
clientSecretBasic when omitted.Validation
EnumclientSecretBasic, clientSecretPost
Defaultnull
mcp.policies.oidc.jwks
JWKS source used to validate returned ID tokens.
mcp.policies.oidc.jwks.file
No description for this field.
mcp.policies.oidc.clientId
OAuth2 client identifier used for authorization and token exchange.
mcp.policies.oidc.clientSecret
OAuth2 client secret used for token exchange.
mcp.policies.oidc.redirectURI
Absolute callback URI handled by the gateway.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
mcp.policies.oidc.scopes
Additional OAuth2 scopes to request.
openid is always included.Validation
Default[]
mcp.policies.basicAuth
Authenticate incoming requests using Basic Authentication with htpasswd.
mcp.policies.basicAuth.htpasswd
.htpasswd file contents/reference
mcp.policies.basicAuth.htpasswd.file
No description for this field.
mcp.policies.basicAuth.realm
Realm name for the WWW-Authenticate header
Validation
Defaultnull
mcp.policies.basicAuth.mode
Validation mode for basic authentication
Validation
Conststrict
Defaultoptional
mcp.policies.basicAuth.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Basic "}}
mcp.policies.basicAuth.authorizationLocation.header
No description for this field.
mcp.policies.basicAuth.authorizationLocation.header.name
No description for this field.
mcp.policies.basicAuth.authorizationLocation.header.prefix
No description for this field.
mcp.policies.apiKey
Authenticate incoming requests using API Keys
mcp.policies.apiKey.keys
List of API keys
mcp.policies.apiKey.keys.key
No description for this field.
mcp.policies.apiKey.keys.metadata
No description for this field.
mcp.policies.apiKey.mode
Validation mode for API keys
Validation
Conststrict
Defaultoptional
mcp.policies.apiKey.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
mcp.policies.apiKey.location.header
No description for this field.
mcp.policies.apiKey.location.header.name
No description for this field.
mcp.policies.apiKey.location.header.prefix
No description for this field.
mcp.policies.extAuthz
Authenticate incoming requests by calling an external authorization server.
mcp.policies.extAuthz.conditional
conditional policy entries. An entry without a condition must be the final fallback.
mcp.policies.extAuthz.conditional.service
No description for this field.
mcp.policies.extAuthz.conditional.service.name
No description for this field.
mcp.policies.extAuthz.conditional.service.name.namespace
No description for this field.
mcp.policies.extAuthz.conditional.service.name.hostname
No description for this field.
mcp.policies.extAuthz.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
mcp.policies.extProc
Extend agentgateway with an external processor
mcp.policies.extProc.conditional
conditional policy entries. An entry without a condition must be the final fallback.
mcp.policies.extProc.conditional.service
No description for this field.
mcp.policies.extProc.conditional.service.name
No description for this field.
mcp.policies.extProc.conditional.service.name.namespace
No description for this field.
mcp.policies.extProc.conditional.service.name.hostname
No description for this field.
mcp.policies.extProc.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
mcp.policies.transformations
Modify requests and responses
mcp.policies.transformations.conditional
conditional policy entries. An entry without a condition must be the final fallback.
mcp.policies.transformations.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
mcp.policies.transformations.conditional.request
No description for this field.
mcp.policies.transformations.conditional.request.add
No description for this field.
Validation
Default{}
mcp.policies.transformations.conditional.request.set
No description for this field.
Validation
Default{}
mcp.policies.transformations.conditional.request.remove
No description for this field.
Validation
Default[]
mcp.policies.transformations.conditional.request.body
No description for this field.
Validation
Defaultnull
mcp.policies.transformations.conditional.request.metadata
No description for this field.
Validation
Default{}
mcp.policies.transformations.conditional.response
No description for this field.
mcp.policies.transformations.conditional.response.add
No description for this field.
Validation
Default{}
mcp.policies.transformations.conditional.response.set
No description for this field.
Validation
Default{}
mcp.policies.transformations.conditional.response.remove
No description for this field.
Validation
Default[]
mcp.policies.transformations.conditional.response.body
No description for this field.
Validation
Defaultnull
mcp.policies.transformations.conditional.response.metadata
No description for this field.
Validation
Default{}
mcp.policies.csrf
Handle CSRF protection by validating request origins against configured allowed origins.
Validation
Defaultnull
mcp.policies.csrf.additionalOrigins
No description for this field.
Validation
Default[]
Unique itemstrue
mcp.policies.timeout
Timeout requests that exceed the configured duration.
Validation
Defaultnull
mcp.policies.timeout.requestTimeout
No description for this field.
mcp.policies.timeout.backendRequestTimeout
No description for this field.
mcp.policies.retry
Retry matching requests.
Validation
Defaultnull
mcp.policies.retry.attempts
No description for this field.
Validation
Default1
Formatuint8
Minimum1
Maximum255
mcp.policies.retry.backoff
No description for this field.
mcp.policies.retry.codes
No description for this field.
policies
policies defines additional policies that can be attached to various other configurations.
This is an advanced feature; users should typically use the inline
This is an advanced feature; users should typically use the inline
policies field under route/gateway.policies.name
No description for this field.
policies.name.name
No description for this field.
policies.name.namespace
No description for this field.
policies.target
No description for this field.
policies.target.gateway
No description for this field.
policies.target.gateway.gatewayName
No description for this field.
policies.target.gateway.gatewayNamespace
No description for this field.
policies.target.gateway.listenerName
No description for this field.
policies.target.gateway.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
policies.phase
phase defines at what level the policy runs at. Gateway policies run pre-routing, while
Route policies apply post-routing.
Only a subset of policies are eligible as Gateway policies.
In general, normal (route level) policies should be used, except you need the policy to influence
routing.
Route policies apply post-routing.
Only a subset of policies are eligible as Gateway policies.
In general, normal (route level) policies should be used, except you need the policy to influence
routing.
Validation
Enumroute, gateway
Defaultroute
policies.policy
No description for this field.
policies.policy.requestHeaderModifier
Headers to be modified in the request.
Validation
Defaultnull
policies.policy.requestHeaderModifier.add
No description for this field.
policies.policy.requestHeaderModifier.set
No description for this field.
policies.policy.requestHeaderModifier.remove
No description for this field.
policies.policy.responseHeaderModifier
Headers to be modified in the response.
Validation
Defaultnull
policies.policy.responseHeaderModifier.add
No description for this field.
policies.policy.responseHeaderModifier.set
No description for this field.
policies.policy.responseHeaderModifier.remove
No description for this field.
policies.policy.requestRedirect
Directly respond to the request with a redirect.
Validation
Defaultnull
policies.policy.requestRedirect.scheme
No description for this field.
policies.policy.requestRedirect.authority
No description for this field.
policies.policy.requestRedirect.authority.full
No description for this field.
policies.policy.requestRedirect.path
No description for this field.
policies.policy.requestRedirect.path.full
No description for this field.
policies.policy.requestRedirect.status
No description for this field.
Validation
Formatuint16
Minimum1
Maximum65535
policies.policy.urlRewrite
Modify the URL path or authority.
Validation
Defaultnull
policies.policy.urlRewrite.authority
No description for this field.
policies.policy.urlRewrite.authority.full
No description for this field.
policies.policy.urlRewrite.path
No description for this field.
policies.policy.urlRewrite.path.full
No description for this field.
policies.policy.requestMirror
Mirror incoming requests to another destination.
Validation
Defaultnull
policies.policy.requestMirror.backend
Service reference. Service must be defined in the top level services list.
policies.policy.requestMirror.backend.service
No description for this field.
policies.policy.requestMirror.backend.service.name
No description for this field.
policies.policy.requestMirror.backend.service.name.namespace
No description for this field.
policies.policy.requestMirror.backend.service.name.hostname
No description for this field.
policies.policy.requestMirror.backend.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
policies.policy.requestMirror.percentage
No description for this field.
Validation
Formatdouble
policies.policy.directResponse
Directly respond to the request with a static response.
policies.policy.directResponse.conditional
conditional policy entries. An entry without a condition must be the final fallback.
policies.policy.directResponse.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
policies.policy.directResponse.conditional.body
No description for this field.
policies.policy.directResponse.conditional.bodyExpression
No description for this field.
policies.policy.directResponse.conditional.headers
No description for this field.
policies.policy.directResponse.conditional.status
No description for this field.
Validation
Formatuint16
Minimum1
Maximum65535
policies.policy.cors
Handle CORS preflight requests and append configured CORS headers to applicable requests.
Validation
Defaultnull
policies.policy.cors.allowCredentials
No description for this field.
Validation
Defaultfalse
policies.policy.cors.allowHeaders
No description for this field.
Validation
Default[]
policies.policy.cors.allowMethods
No description for this field.
Validation
Default[]
policies.policy.cors.allowOrigins
No description for this field.
Validation
Default[]
policies.policy.cors.exposeHeaders
No description for this field.
Validation
Default[]
policies.policy.cors.maxAge
No description for this field.
Validation
Defaultnull
policies.policy.mcpAuthorization
Authorization policies for MCP access.
Validation
Defaultnull
policies.policy.mcpAuthorization.rules
No description for this field.
policies.policy.authorization
Authorization policies for HTTP access.
Validation
Defaultnull
policies.policy.authorization.rules
No description for this field.
policies.policy.mcpAuthentication
Authentication for MCP clients.
policies.policy.mcpAuthentication.issuer
No description for this field.
policies.policy.mcpAuthentication.audiences
No description for this field.
policies.policy.mcpAuthentication.provider
No description for this field.
policies.policy.mcpAuthentication.provider.auth0
No description for this field.
policies.policy.mcpAuthentication.resourceMetadata
No description for this field.
policies.policy.mcpAuthentication.jwks
No description for this field.
policies.policy.mcpAuthentication.jwks.file
No description for this field.
policies.policy.mcpAuthentication.mode
A valid token, issued by a configured issuer, must be present.
This is the default option.
This is the default option.
Validation
Conststrict
Defaultstrict
policies.policy.mcpAuthentication.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
policies.policy.mcpAuthentication.authorizationLocation.header
No description for this field.
policies.policy.mcpAuthentication.authorizationLocation.header.name
No description for this field.
policies.policy.mcpAuthentication.authorizationLocation.header.prefix
No description for this field.
policies.policy.mcpAuthentication.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].policies.policy.mcpAuthentication.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
policies.policy.mcpAuthentication.clientId
No description for this field.
policies.policy.a2a
Mark this traffic as A2A to enable A2A processing and telemetry.
Validation
Defaultnull
policies.policy.ai
Mark this as LLM traffic to enable LLM processing.
Validation
Defaultnull
policies.policy.ai.promptGuard
No description for this field.
policies.policy.ai.promptGuard.request
No description for this field.
policies.policy.ai.promptGuard.request.regex
No description for this field.
policies.policy.ai.promptGuard.request.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
policies.policy.ai.promptGuard.request.regex.rules
No description for this field.
policies.policy.ai.promptGuard.request.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
policies.policy.ai.promptGuard.response
No description for this field.
policies.policy.ai.promptGuard.response.regex
No description for this field.
policies.policy.ai.promptGuard.response.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
policies.policy.ai.promptGuard.response.regex.rules
No description for this field.
policies.policy.ai.promptGuard.response.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
policies.policy.ai.defaults
No description for this field.
policies.policy.ai.overrides
No description for this field.
policies.policy.ai.transformations
No description for this field.
policies.policy.ai.prompts
No description for this field.
Validation
Min properties1
policies.policy.ai.prompts.append
No description for this field.
policies.policy.ai.prompts.append.role
No description for this field.
policies.policy.ai.prompts.append.content
No description for this field.
policies.policy.ai.prompts.prepend
No description for this field.
policies.policy.ai.prompts.prepend.role
No description for this field.
policies.policy.ai.prompts.prepend.content
No description for this field.
policies.policy.ai.modelAliases
No description for this field.
policies.policy.ai.promptCaching
No description for this field.
policies.policy.ai.promptCaching.cacheSystem
No description for this field.
Validation
Defaulttrue
policies.policy.ai.promptCaching.cacheMessages
No description for this field.
Validation
Defaulttrue
policies.policy.ai.promptCaching.cacheTools
No description for this field.
Validation
Defaultfalse
policies.policy.ai.promptCaching.minTokens
No description for this field.
Validation
Default1024
Formatuint
Minimum0
policies.policy.ai.promptCaching.cacheMessageOffset
No description for this field.
Validation
Default0
Formatuint
Minimum0
policies.policy.ai.routes
No description for this field.
policies.policy.backendTLS
Send TLS to the backend.
policies.policy.backendTLS.cert
No description for this field.
policies.policy.backendTLS.key
No description for this field.
policies.policy.backendTLS.root
No description for this field.
policies.policy.backendTLS.hostname
No description for this field.
policies.policy.backendTLS.insecure
No description for this field.
Validation
Defaultfalse
policies.policy.backendTLS.insecureHost
No description for this field.
Validation
Defaultfalse
policies.policy.backendTLS.alpn
No description for this field.
Validation
Defaultnull
policies.policy.backendTLS.subjectAltNames
No description for this field.
Validation
Defaultnull
policies.policy.backendTLS.keyExchangeGroups
Key exchange groups allowed for negotiating TLS.
Validation
Defaultnull
policies.policy.backendTunnel
Tunnel to the backend.
Validation
Defaultnull
policies.policy.backendTunnel.proxy
Reference to the proxy address
policies.policy.backendTunnel.proxy.service
No description for this field.
policies.policy.backendTunnel.proxy.service.name
No description for this field.
policies.policy.backendTunnel.proxy.service.name.namespace
No description for this field.
policies.policy.backendTunnel.proxy.service.name.hostname
No description for this field.
policies.policy.backendTunnel.proxy.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
policies.policy.backendAuth
Authenticate to the backend.
Validation
Defaultnull
policies.policy.backendAuth.passthrough
No description for this field.
policies.policy.backendAuth.passthrough.location
No description for this field.
policies.policy.backendAuth.passthrough.location.header
No description for this field.
policies.policy.backendAuth.passthrough.location.header.name
No description for this field.
policies.policy.backendAuth.passthrough.location.header.prefix
No description for this field.
policies.policy.localRateLimit
Rate limit incoming requests. State is kept local.
policies.policy.localRateLimit.conditional
conditional policy entries. An entry without a condition must be the final fallback.
policies.policy.localRateLimit.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
policies.policy.localRateLimit.conditional.maxTokens
No description for this field.
Validation
Default0
Formatuint64
Minimum0
policies.policy.localRateLimit.conditional.tokensPerFill
No description for this field.
Validation
Default0
Formatuint64
Minimum0
policies.policy.localRateLimit.conditional.fillInterval
No description for this field.
policies.policy.localRateLimit.conditional.type
No description for this field.
Validation
Enumrequests, tokens
Defaultrequests
policies.policy.remoteRateLimit
Rate limit incoming requests. State is managed by a remote server.
policies.policy.remoteRateLimit.conditional
conditional policy entries. An entry without a condition must be the final fallback.
policies.policy.remoteRateLimit.conditional.service
No description for this field.
policies.policy.remoteRateLimit.conditional.service.name
No description for this field.
policies.policy.remoteRateLimit.conditional.service.name.namespace
No description for this field.
policies.policy.remoteRateLimit.conditional.service.name.hostname
No description for this field.
policies.policy.remoteRateLimit.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
policies.policy.jwtAuth
Authenticate incoming JWT requests.
policies.policy.jwtAuth.mode
A valid token, issued by a configured issuer, must be present.
Validation
Conststrict
Defaultoptional
policies.policy.jwtAuth.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
policies.policy.jwtAuth.location.header
No description for this field.
policies.policy.jwtAuth.location.header.name
No description for this field.
policies.policy.jwtAuth.location.header.prefix
No description for this field.
policies.policy.jwtAuth.providers
No description for this field.
policies.policy.jwtAuth.providers.issuer
No description for this field.
policies.policy.jwtAuth.providers.audiences
No description for this field.
policies.policy.jwtAuth.providers.jwks
No description for this field.
policies.policy.jwtAuth.providers.jwks.file
No description for this field.
policies.policy.jwtAuth.providers.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].policies.policy.jwtAuth.providers.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
policies.policy.oidc
Authenticate incoming browser requests with OIDC authorization code flow.
policies.policy.oidc.issuer
Issuer used for discovery and ID token validation.
policies.policy.oidc.discovery
Optional discovery document override. If omitted, discovery uses
${issuer}/.well-known/openid-configuration.policies.policy.oidc.discovery.file
No description for this field.
policies.policy.oidc.authorizationEndpoint
Authorization endpoint used to start the browser login flow.
Validation
Defaultnull
policies.policy.oidc.tokenEndpoint
Token endpoint used to exchange the authorization code.
Validation
Defaultnull
policies.policy.oidc.tokenEndpointAuth
Token endpoint client authentication method for explicit provider configuration.
Discovery mode derives this from provider metadata. Explicit mode defaults to
clientSecretBasic when omitted.Validation
EnumclientSecretBasic, clientSecretPost
Defaultnull
policies.policy.oidc.jwks
JWKS source used to validate returned ID tokens.
policies.policy.oidc.jwks.file
No description for this field.
policies.policy.oidc.clientId
OAuth2 client identifier used for authorization and token exchange.
policies.policy.oidc.clientSecret
OAuth2 client secret used for token exchange.
policies.policy.oidc.redirectURI
Absolute callback URI handled by the gateway.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
policies.policy.oidc.scopes
Additional OAuth2 scopes to request.
openid is always included.Validation
Default[]
policies.policy.basicAuth
Authenticate incoming requests using Basic Authentication with htpasswd.
policies.policy.basicAuth.htpasswd
.htpasswd file contents/reference
policies.policy.basicAuth.htpasswd.file
No description for this field.
policies.policy.basicAuth.realm
Realm name for the WWW-Authenticate header
Validation
Defaultnull
policies.policy.basicAuth.mode
Validation mode for basic authentication
Validation
Conststrict
Defaultoptional
policies.policy.basicAuth.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Basic "}}
policies.policy.basicAuth.authorizationLocation.header
No description for this field.
policies.policy.basicAuth.authorizationLocation.header.name
No description for this field.
policies.policy.basicAuth.authorizationLocation.header.prefix
No description for this field.
policies.policy.apiKey
Authenticate incoming requests using API Keys
policies.policy.apiKey.keys
List of API keys
policies.policy.apiKey.keys.key
No description for this field.
policies.policy.apiKey.keys.metadata
No description for this field.
policies.policy.apiKey.mode
Validation mode for API keys
Validation
Conststrict
Defaultoptional
policies.policy.apiKey.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
policies.policy.apiKey.location.header
No description for this field.
policies.policy.apiKey.location.header.name
No description for this field.
policies.policy.apiKey.location.header.prefix
No description for this field.
policies.policy.extAuthz
Authenticate incoming requests by calling an external authorization server.
policies.policy.extAuthz.conditional
conditional policy entries. An entry without a condition must be the final fallback.
policies.policy.extAuthz.conditional.service
No description for this field.
policies.policy.extAuthz.conditional.service.name
No description for this field.
policies.policy.extAuthz.conditional.service.name.namespace
No description for this field.
policies.policy.extAuthz.conditional.service.name.hostname
No description for this field.
policies.policy.extAuthz.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
policies.policy.extProc
Extend agentgateway with an external processor
policies.policy.extProc.conditional
conditional policy entries. An entry without a condition must be the final fallback.
policies.policy.extProc.conditional.service
No description for this field.
policies.policy.extProc.conditional.service.name
No description for this field.
policies.policy.extProc.conditional.service.name.namespace
No description for this field.
policies.policy.extProc.conditional.service.name.hostname
No description for this field.
policies.policy.extProc.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
policies.policy.transformations
Modify requests and responses
policies.policy.transformations.conditional
conditional policy entries. An entry without a condition must be the final fallback.
policies.policy.transformations.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
policies.policy.transformations.conditional.request
No description for this field.
policies.policy.transformations.conditional.request.add
No description for this field.
Validation
Default{}
policies.policy.transformations.conditional.request.set
No description for this field.
Validation
Default{}
policies.policy.transformations.conditional.request.remove
No description for this field.
Validation
Default[]
policies.policy.transformations.conditional.request.body
No description for this field.
Validation
Defaultnull
policies.policy.transformations.conditional.request.metadata
No description for this field.
Validation
Default{}
policies.policy.transformations.conditional.response
No description for this field.
policies.policy.transformations.conditional.response.add
No description for this field.
Validation
Default{}
policies.policy.transformations.conditional.response.set
No description for this field.
Validation
Default{}
policies.policy.transformations.conditional.response.remove
No description for this field.
Validation
Default[]
policies.policy.transformations.conditional.response.body
No description for this field.
Validation
Defaultnull
policies.policy.transformations.conditional.response.metadata
No description for this field.
Validation
Default{}
policies.policy.csrf
Handle CSRF protection by validating request origins against configured allowed origins.
Validation
Defaultnull
policies.policy.csrf.additionalOrigins
No description for this field.
Validation
Default[]
Unique itemstrue
policies.policy.timeout
Timeout requests that exceed the configured duration.
Validation
Defaultnull
policies.policy.timeout.requestTimeout
No description for this field.
policies.policy.timeout.backendRequestTimeout
No description for this field.
policies.policy.retry
Retry matching requests.
Validation
Defaultnull
policies.policy.retry.attempts
No description for this field.
Validation
Default1
Formatuint8
Minimum1
Maximum255
policies.policy.retry.backoff
No description for this field.
policies.policy.retry.codes
No description for this field.
workloads
No description for this field.
Validation
Default[]
services
No description for this field.
Validation
Default[]
backends
No description for this field.
backends.host
No description for this field.
routeGroups
No description for this field.
routeGroups.name
No description for this field.
routeGroups.routes
No description for this field.
routeGroups.routes.name
No description for this field.
Validation
Defaultnull
routeGroups.routes.namespace
No description for this field.
Validation
Defaultnull
routeGroups.routes.ruleName
No description for this field.
Validation
Defaultnull
routeGroups.routes.hostnames
Can be a wildcard
routeGroups.routes.matches
No description for this field.
Validation
Default[{"path": {"pathPrefix": "/"}}]
routeGroups.routes.matches.headers
No description for this field.
routeGroups.routes.matches.headers.name
No description for this field.
routeGroups.routes.matches.headers.value
No description for this field.
routeGroups.routes.matches.headers.value.exact
No description for this field.
routeGroups.routes.matches.path
No description for this field.
Validation
Default{"pathPrefix": "/"}
routeGroups.routes.matches.path.exact
No description for this field.
routeGroups.routes.matches.method
No description for this field.
routeGroups.routes.matches.query
No description for this field.
routeGroups.routes.matches.query.name
No description for this field.
routeGroups.routes.matches.query.value
No description for this field.
routeGroups.routes.matches.query.value.exact
No description for this field.
routeGroups.routes.policies
No description for this field.
routeGroups.routes.policies.requestHeaderModifier
Headers to be modified in the request.
Validation
Defaultnull
routeGroups.routes.policies.requestHeaderModifier.add
No description for this field.
routeGroups.routes.policies.requestHeaderModifier.set
No description for this field.
routeGroups.routes.policies.requestHeaderModifier.remove
No description for this field.
routeGroups.routes.policies.responseHeaderModifier
Headers to be modified in the response.
Validation
Defaultnull
routeGroups.routes.policies.responseHeaderModifier.add
No description for this field.
routeGroups.routes.policies.responseHeaderModifier.set
No description for this field.
routeGroups.routes.policies.responseHeaderModifier.remove
No description for this field.
routeGroups.routes.policies.requestRedirect
Directly respond to the request with a redirect.
Validation
Defaultnull
routeGroups.routes.policies.requestRedirect.scheme
No description for this field.
routeGroups.routes.policies.requestRedirect.authority
No description for this field.
routeGroups.routes.policies.requestRedirect.authority.full
No description for this field.
routeGroups.routes.policies.requestRedirect.path
No description for this field.
routeGroups.routes.policies.requestRedirect.path.full
No description for this field.
routeGroups.routes.policies.requestRedirect.status
No description for this field.
Validation
Formatuint16
Minimum1
Maximum65535
routeGroups.routes.policies.urlRewrite
Modify the URL path or authority.
Validation
Defaultnull
routeGroups.routes.policies.urlRewrite.authority
No description for this field.
routeGroups.routes.policies.urlRewrite.authority.full
No description for this field.
routeGroups.routes.policies.urlRewrite.path
No description for this field.
routeGroups.routes.policies.urlRewrite.path.full
No description for this field.
routeGroups.routes.policies.requestMirror
Mirror incoming requests to another destination.
Validation
Defaultnull
routeGroups.routes.policies.requestMirror.backend
Service reference. Service must be defined in the top level services list.
routeGroups.routes.policies.requestMirror.backend.service
No description for this field.
routeGroups.routes.policies.requestMirror.backend.service.name
No description for this field.
routeGroups.routes.policies.requestMirror.backend.service.name.namespace
No description for this field.
routeGroups.routes.policies.requestMirror.backend.service.name.hostname
No description for this field.
routeGroups.routes.policies.requestMirror.backend.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
routeGroups.routes.policies.requestMirror.percentage
No description for this field.
Validation
Formatdouble
routeGroups.routes.policies.directResponse
Directly respond to the request with a static response.
routeGroups.routes.policies.directResponse.conditional
conditional policy entries. An entry without a condition must be the final fallback.
routeGroups.routes.policies.directResponse.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
routeGroups.routes.policies.directResponse.conditional.body
No description for this field.
routeGroups.routes.policies.directResponse.conditional.bodyExpression
No description for this field.
routeGroups.routes.policies.directResponse.conditional.headers
No description for this field.
routeGroups.routes.policies.directResponse.conditional.status
No description for this field.
Validation
Formatuint16
Minimum1
Maximum65535
routeGroups.routes.policies.cors
Handle CORS preflight requests and append configured CORS headers to applicable requests.
Validation
Defaultnull
routeGroups.routes.policies.cors.allowCredentials
No description for this field.
Validation
Defaultfalse
routeGroups.routes.policies.cors.allowHeaders
No description for this field.
Validation
Default[]
routeGroups.routes.policies.cors.allowMethods
No description for this field.
Validation
Default[]
routeGroups.routes.policies.cors.allowOrigins
No description for this field.
Validation
Default[]
routeGroups.routes.policies.cors.exposeHeaders
No description for this field.
Validation
Default[]
routeGroups.routes.policies.cors.maxAge
No description for this field.
Validation
Defaultnull
routeGroups.routes.policies.mcpAuthorization
Authorization policies for MCP access.
Validation
Defaultnull
routeGroups.routes.policies.mcpAuthorization.rules
No description for this field.
routeGroups.routes.policies.authorization
Authorization policies for HTTP access.
Validation
Defaultnull
routeGroups.routes.policies.authorization.rules
No description for this field.
routeGroups.routes.policies.mcpAuthentication
Authentication for MCP clients.
routeGroups.routes.policies.mcpAuthentication.issuer
No description for this field.
routeGroups.routes.policies.mcpAuthentication.audiences
No description for this field.
routeGroups.routes.policies.mcpAuthentication.provider
No description for this field.
routeGroups.routes.policies.mcpAuthentication.provider.auth0
No description for this field.
routeGroups.routes.policies.mcpAuthentication.resourceMetadata
No description for this field.
routeGroups.routes.policies.mcpAuthentication.jwks
No description for this field.
routeGroups.routes.policies.mcpAuthentication.jwks.file
No description for this field.
routeGroups.routes.policies.mcpAuthentication.mode
A valid token, issued by a configured issuer, must be present.
This is the default option.
This is the default option.
Validation
Conststrict
Defaultstrict
routeGroups.routes.policies.mcpAuthentication.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
routeGroups.routes.policies.mcpAuthentication.authorizationLocation.header
No description for this field.
routeGroups.routes.policies.mcpAuthentication.authorizationLocation.header.name
No description for this field.
routeGroups.routes.policies.mcpAuthentication.authorizationLocation.header.prefix
No description for this field.
routeGroups.routes.policies.mcpAuthentication.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].routeGroups.routes.policies.mcpAuthentication.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
routeGroups.routes.policies.mcpAuthentication.clientId
No description for this field.
routeGroups.routes.policies.a2a
Mark this traffic as A2A to enable A2A processing and telemetry.
Validation
Defaultnull
routeGroups.routes.policies.ai
Mark this as LLM traffic to enable LLM processing.
Validation
Defaultnull
routeGroups.routes.policies.ai.promptGuard
No description for this field.
routeGroups.routes.policies.ai.promptGuard.request
No description for this field.
routeGroups.routes.policies.ai.promptGuard.request.regex
No description for this field.
routeGroups.routes.policies.ai.promptGuard.request.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
routeGroups.routes.policies.ai.promptGuard.request.regex.rules
No description for this field.
routeGroups.routes.policies.ai.promptGuard.request.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
routeGroups.routes.policies.ai.promptGuard.response
No description for this field.
routeGroups.routes.policies.ai.promptGuard.response.regex
No description for this field.
routeGroups.routes.policies.ai.promptGuard.response.regex.action
No description for this field.
Validation
Enummask, reject
Defaultmask
routeGroups.routes.policies.ai.promptGuard.response.regex.rules
No description for this field.
routeGroups.routes.policies.ai.promptGuard.response.regex.rules.builtin
No description for this field.
Validation
Enumssn, creditCard, phoneNumber, email, caSin
routeGroups.routes.policies.ai.defaults
No description for this field.
routeGroups.routes.policies.ai.overrides
No description for this field.
routeGroups.routes.policies.ai.transformations
No description for this field.
routeGroups.routes.policies.ai.prompts
No description for this field.
Validation
Min properties1
routeGroups.routes.policies.ai.prompts.append
No description for this field.
routeGroups.routes.policies.ai.prompts.append.role
No description for this field.
routeGroups.routes.policies.ai.prompts.append.content
No description for this field.
routeGroups.routes.policies.ai.prompts.prepend
No description for this field.
routeGroups.routes.policies.ai.prompts.prepend.role
No description for this field.
routeGroups.routes.policies.ai.prompts.prepend.content
No description for this field.
routeGroups.routes.policies.ai.modelAliases
No description for this field.
routeGroups.routes.policies.ai.promptCaching
No description for this field.
routeGroups.routes.policies.ai.promptCaching.cacheSystem
No description for this field.
Validation
Defaulttrue
routeGroups.routes.policies.ai.promptCaching.cacheMessages
No description for this field.
Validation
Defaulttrue
routeGroups.routes.policies.ai.promptCaching.cacheTools
No description for this field.
Validation
Defaultfalse
routeGroups.routes.policies.ai.promptCaching.minTokens
No description for this field.
Validation
Default1024
Formatuint
Minimum0
routeGroups.routes.policies.ai.promptCaching.cacheMessageOffset
No description for this field.
Validation
Default0
Formatuint
Minimum0
routeGroups.routes.policies.ai.routes
No description for this field.
routeGroups.routes.policies.backendTLS
Send TLS to the backend.
routeGroups.routes.policies.backendTLS.cert
No description for this field.
routeGroups.routes.policies.backendTLS.key
No description for this field.
routeGroups.routes.policies.backendTLS.root
No description for this field.
routeGroups.routes.policies.backendTLS.hostname
No description for this field.
routeGroups.routes.policies.backendTLS.insecure
No description for this field.
Validation
Defaultfalse
routeGroups.routes.policies.backendTLS.insecureHost
No description for this field.
Validation
Defaultfalse
routeGroups.routes.policies.backendTLS.alpn
No description for this field.
Validation
Defaultnull
routeGroups.routes.policies.backendTLS.subjectAltNames
No description for this field.
Validation
Defaultnull
routeGroups.routes.policies.backendTLS.keyExchangeGroups
Key exchange groups allowed for negotiating TLS.
Validation
Defaultnull
routeGroups.routes.policies.backendTunnel
Tunnel to the backend.
Validation
Defaultnull
routeGroups.routes.policies.backendTunnel.proxy
Reference to the proxy address
routeGroups.routes.policies.backendTunnel.proxy.service
No description for this field.
routeGroups.routes.policies.backendTunnel.proxy.service.name
No description for this field.
routeGroups.routes.policies.backendTunnel.proxy.service.name.namespace
No description for this field.
routeGroups.routes.policies.backendTunnel.proxy.service.name.hostname
No description for this field.
routeGroups.routes.policies.backendTunnel.proxy.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
routeGroups.routes.policies.backendAuth
Authenticate to the backend.
Validation
Defaultnull
routeGroups.routes.policies.backendAuth.passthrough
No description for this field.
routeGroups.routes.policies.backendAuth.passthrough.location
No description for this field.
routeGroups.routes.policies.backendAuth.passthrough.location.header
No description for this field.
routeGroups.routes.policies.backendAuth.passthrough.location.header.name
No description for this field.
routeGroups.routes.policies.backendAuth.passthrough.location.header.prefix
No description for this field.
routeGroups.routes.policies.localRateLimit
Rate limit incoming requests. State is kept local.
routeGroups.routes.policies.localRateLimit.conditional
conditional policy entries. An entry without a condition must be the final fallback.
routeGroups.routes.policies.localRateLimit.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
routeGroups.routes.policies.localRateLimit.conditional.maxTokens
No description for this field.
Validation
Default0
Formatuint64
Minimum0
routeGroups.routes.policies.localRateLimit.conditional.tokensPerFill
No description for this field.
Validation
Default0
Formatuint64
Minimum0
routeGroups.routes.policies.localRateLimit.conditional.fillInterval
No description for this field.
routeGroups.routes.policies.localRateLimit.conditional.type
No description for this field.
Validation
Enumrequests, tokens
Defaultrequests
routeGroups.routes.policies.remoteRateLimit
Rate limit incoming requests. State is managed by a remote server.
routeGroups.routes.policies.remoteRateLimit.conditional
conditional policy entries. An entry without a condition must be the final fallback.
routeGroups.routes.policies.remoteRateLimit.conditional.service
No description for this field.
routeGroups.routes.policies.remoteRateLimit.conditional.service.name
No description for this field.
routeGroups.routes.policies.remoteRateLimit.conditional.service.name.namespace
No description for this field.
routeGroups.routes.policies.remoteRateLimit.conditional.service.name.hostname
No description for this field.
routeGroups.routes.policies.remoteRateLimit.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
routeGroups.routes.policies.jwtAuth
Authenticate incoming JWT requests.
routeGroups.routes.policies.jwtAuth.mode
A valid token, issued by a configured issuer, must be present.
Validation
Conststrict
Defaultoptional
routeGroups.routes.policies.jwtAuth.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
routeGroups.routes.policies.jwtAuth.location.header
No description for this field.
routeGroups.routes.policies.jwtAuth.location.header.name
No description for this field.
routeGroups.routes.policies.jwtAuth.location.header.prefix
No description for this field.
routeGroups.routes.policies.jwtAuth.providers
No description for this field.
routeGroups.routes.policies.jwtAuth.providers.issuer
No description for this field.
routeGroups.routes.policies.jwtAuth.providers.audiences
No description for this field.
routeGroups.routes.policies.jwtAuth.providers.jwks
No description for this field.
routeGroups.routes.policies.jwtAuth.providers.jwks.file
No description for this field.
routeGroups.routes.policies.jwtAuth.providers.jwtValidationOptions
JWT validation options controlling which claims must be present in a token.
The
exist in the token payload before validation proceeds. Only the following
values are recognized:
claims such as
required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following
values are recognized:
exp, nbf, aud, iss, sub. Other registeredclaims such as
iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like
have their values validated independently (e.g., expiry is always checked
when the
exp and nbfhave their values validated independently (e.g., expiry is always checked
when the
exp claim is present, regardless of this setting).Defaults to
["exp"].routeGroups.routes.policies.jwtAuth.providers.jwtValidationOptions.requiredClaims
Claims that must be present in the token before validation.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Only "exp", "nbf", "aud", "iss", "sub" are enforced; others
(including "iat" and "jti") are ignored.
Defaults to ["exp"]. Use an empty list to require no claims.
Validation
Default["exp"]
Unique itemstrue
routeGroups.routes.policies.oidc
Authenticate incoming browser requests with OIDC authorization code flow.
routeGroups.routes.policies.oidc.issuer
Issuer used for discovery and ID token validation.
routeGroups.routes.policies.oidc.discovery
Optional discovery document override. If omitted, discovery uses
${issuer}/.well-known/openid-configuration.routeGroups.routes.policies.oidc.discovery.file
No description for this field.
routeGroups.routes.policies.oidc.authorizationEndpoint
Authorization endpoint used to start the browser login flow.
Validation
Defaultnull
routeGroups.routes.policies.oidc.tokenEndpoint
Token endpoint used to exchange the authorization code.
Validation
Defaultnull
routeGroups.routes.policies.oidc.tokenEndpointAuth
Token endpoint client authentication method for explicit provider configuration.
Discovery mode derives this from provider metadata. Explicit mode defaults to
clientSecretBasic when omitted.Validation
EnumclientSecretBasic, clientSecretPost
Defaultnull
routeGroups.routes.policies.oidc.jwks
JWKS source used to validate returned ID tokens.
routeGroups.routes.policies.oidc.jwks.file
No description for this field.
routeGroups.routes.policies.oidc.clientId
OAuth2 client identifier used for authorization and token exchange.
routeGroups.routes.policies.oidc.clientSecret
OAuth2 client secret used for token exchange.
routeGroups.routes.policies.oidc.redirectURI
Absolute callback URI handled by the gateway.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
routeGroups.routes.policies.oidc.scopes
Additional OAuth2 scopes to request.
openid is always included.Validation
Default[]
routeGroups.routes.policies.basicAuth
Authenticate incoming requests using Basic Authentication with htpasswd.
routeGroups.routes.policies.basicAuth.htpasswd
.htpasswd file contents/reference
routeGroups.routes.policies.basicAuth.htpasswd.file
No description for this field.
routeGroups.routes.policies.basicAuth.realm
Realm name for the WWW-Authenticate header
Validation
Defaultnull
routeGroups.routes.policies.basicAuth.mode
Validation mode for basic authentication
Validation
Conststrict
Defaultoptional
routeGroups.routes.policies.basicAuth.authorizationLocation
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Basic "}}
routeGroups.routes.policies.basicAuth.authorizationLocation.header
No description for this field.
routeGroups.routes.policies.basicAuth.authorizationLocation.header.name
No description for this field.
routeGroups.routes.policies.basicAuth.authorizationLocation.header.prefix
No description for this field.
routeGroups.routes.policies.apiKey
Authenticate incoming requests using API Keys
routeGroups.routes.policies.apiKey.keys
List of API keys
routeGroups.routes.policies.apiKey.keys.key
No description for this field.
routeGroups.routes.policies.apiKey.keys.metadata
No description for this field.
routeGroups.routes.policies.apiKey.mode
Validation mode for API keys
Validation
Conststrict
Defaultoptional
routeGroups.routes.policies.apiKey.location
No description for this field.
Validation
Default{"header": {"name": "authorization", "prefix": "Bearer "}}
routeGroups.routes.policies.apiKey.location.header
No description for this field.
routeGroups.routes.policies.apiKey.location.header.name
No description for this field.
routeGroups.routes.policies.apiKey.location.header.prefix
No description for this field.
routeGroups.routes.policies.extAuthz
Authenticate incoming requests by calling an external authorization server.
routeGroups.routes.policies.extAuthz.conditional
conditional policy entries. An entry without a condition must be the final fallback.
routeGroups.routes.policies.extAuthz.conditional.service
No description for this field.
routeGroups.routes.policies.extAuthz.conditional.service.name
No description for this field.
routeGroups.routes.policies.extAuthz.conditional.service.name.namespace
No description for this field.
routeGroups.routes.policies.extAuthz.conditional.service.name.hostname
No description for this field.
routeGroups.routes.policies.extAuthz.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
routeGroups.routes.policies.extProc
Extend agentgateway with an external processor
routeGroups.routes.policies.extProc.conditional
conditional policy entries. An entry without a condition must be the final fallback.
routeGroups.routes.policies.extProc.conditional.service
No description for this field.
routeGroups.routes.policies.extProc.conditional.service.name
No description for this field.
routeGroups.routes.policies.extProc.conditional.service.name.namespace
No description for this field.
routeGroups.routes.policies.extProc.conditional.service.name.hostname
No description for this field.
routeGroups.routes.policies.extProc.conditional.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
routeGroups.routes.policies.transformations
Modify requests and responses
routeGroups.routes.policies.transformations.conditional
conditional policy entries. An entry without a condition must be the final fallback.
routeGroups.routes.policies.transformations.conditional.condition
condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
Validation
Defaultnull
routeGroups.routes.policies.transformations.conditional.request
No description for this field.
routeGroups.routes.policies.transformations.conditional.request.add
No description for this field.
Validation
Default{}
routeGroups.routes.policies.transformations.conditional.request.set
No description for this field.
Validation
Default{}
routeGroups.routes.policies.transformations.conditional.request.remove
No description for this field.
Validation
Default[]
routeGroups.routes.policies.transformations.conditional.request.body
No description for this field.
Validation
Defaultnull
routeGroups.routes.policies.transformations.conditional.request.metadata
No description for this field.
Validation
Default{}
routeGroups.routes.policies.transformations.conditional.response
No description for this field.
routeGroups.routes.policies.transformations.conditional.response.add
No description for this field.
Validation
Default{}
routeGroups.routes.policies.transformations.conditional.response.set
No description for this field.
Validation
Default{}
routeGroups.routes.policies.transformations.conditional.response.remove
No description for this field.
Validation
Default[]
routeGroups.routes.policies.transformations.conditional.response.body
No description for this field.
Validation
Defaultnull
routeGroups.routes.policies.transformations.conditional.response.metadata
No description for this field.
Validation
Default{}
routeGroups.routes.policies.csrf
Handle CSRF protection by validating request origins against configured allowed origins.
Validation
Defaultnull
routeGroups.routes.policies.csrf.additionalOrigins
No description for this field.
Validation
Default[]
Unique itemstrue
routeGroups.routes.policies.timeout
Timeout requests that exceed the configured duration.
Validation
Defaultnull
routeGroups.routes.policies.timeout.requestTimeout
No description for this field.
routeGroups.routes.policies.timeout.backendRequestTimeout
No description for this field.
routeGroups.routes.policies.retry
Retry matching requests.
Validation
Defaultnull
routeGroups.routes.policies.retry.attempts
No description for this field.
Validation
Default1
Formatuint8
Minimum1
Maximum255
routeGroups.routes.policies.retry.backoff
No description for this field.
routeGroups.routes.policies.retry.codes
No description for this field.
routeGroups.routes.backends
No description for this field.
routeGroups.routes.backends.service
No description for this field.
routeGroups.routes.backends.service.name
No description for this field.
routeGroups.routes.backends.service.name.namespace
No description for this field.
routeGroups.routes.backends.service.name.hostname
No description for this field.
routeGroups.routes.backends.service.port
No description for this field.
Validation
Formatuint16
Minimum0
Maximum65535
Was this page helpful?
