Skip to content
agentgateway has joined the Agentic AI FoundationLearn more

For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

Page as Markdown

Static configuration

Configure static settings that are applied at startup time.

Most agentgateway configurations dynamically update as you make changes to the binds, policies, backends, and so on.

However, a few configurations are statically configured at startup. These static configurations are under the config section.

Static configuration file schema

The following table shows the config file schema for static configurations at startup. For the full agentgateway schema of dynamic and static configuration, see the reference docs.

FieldTypeDescription
configobjectconfig defines top-level settings for DNS, admin, networking, observability, and session
management. Unlike other sections, these are applied only at startup and are not dynamically reloaded.
config.enableIpv6booleanEnable IPv6 address resolution and binding. Defaults to true.
config.dnsobjectDNS resolver settings.
config.dns.lookupFamilyenumControls which IP address families the DNS resolver will query for
upstream connections.
Accepted values: All, Auto, V4Preferred, V4Only, V6Only.
Defaults to Auto (IPv4-only when enableIpv6 is false, both when true).
config.dns.edns0booleanWhether to enable EDNS0 (Extension Mechanisms for DNS) in the resolver.
When None, the system-provided resolver setting is preserved.
Can also be set via the DNS_EDNS0 environment variable.
config.localXdsPathstringLocal XDS path. If not specified, the current configuration file will be used.
config.modelCatalog[]objectModel cost catalog sources; entries are merged in order, with later entries taking precedence.
config.modelCatalog[].filestringPath to a file on disk containing the model cost catalog.
config.modelCatalog[].inlinestringModel cost catalog provided inline as a string.
config.modelCatalog[].inlineobjectModel cost catalog provided inline as structured data.
config.modelCatalog[].inline.providersobjectMap of provider name to its supported models and pricing.
config.modelCatalog[].inline.providers.*.modelsobjectMap of model ID to its pricing rates and tiers.
config.modelCatalog[].inline.providers.*.models.*.ratesobjectBase pricing rates for this model.
config.modelCatalog[].inline.providers.*.models.*.rates.inputstringCost per 1M input (prompt) tokens.
config.modelCatalog[].inline.providers.*.models.*.rates.outputstringCost per 1M output (completion) tokens.
config.modelCatalog[].inline.providers.*.models.*.rates.cacheReadstringCost per 1M tokens read from cache.
config.modelCatalog[].inline.providers.*.models.*.rates.cacheWritestringCost per 1M tokens written to cache.
config.modelCatalog[].inline.providers.*.models.*.rates.reasoningstringCost per 1M reasoning tokens. Falls back to the output rate if unset.
config.modelCatalog[].inline.providers.*.models.*.rates.inputAudiostringCost per 1M input audio tokens. Falls back to the input rate if unset.
config.modelCatalog[].inline.providers.*.models.*.rates.outputAudiostringCost per 1M output audio tokens. Falls back to the output rate if unset.
config.modelCatalog[].inline.providers.*.models.*.tiers[]objectContext-length pricing tiers that override the base rates.
config.modelCatalog[].inline.providers.*.models.*.tiers[].contextOverintegerContext-token threshold above which this tier’s rates apply.
config.modelCatalog[].inline.providers.*.models.*.tiers[].ratesobjectPricing rates for this tier, overlaid on the base model rates.
config.modelCatalog[].inline.providers.*.models.*.tiers[].rates.inputstringCost per 1M input (prompt) tokens.
config.modelCatalog[].inline.providers.*.models.*.tiers[].rates.outputstringCost per 1M output (completion) tokens.
config.modelCatalog[].inline.providers.*.models.*.tiers[].rates.cacheReadstringCost per 1M tokens read from cache.
config.modelCatalog[].inline.providers.*.models.*.tiers[].rates.cacheWritestringCost per 1M tokens written to cache.
config.modelCatalog[].inline.providers.*.models.*.tiers[].rates.reasoningstringCost per 1M reasoning tokens. Falls back to the output rate if unset.
config.modelCatalog[].inline.providers.*.models.*.tiers[].rates.inputAudiostringCost per 1M input audio tokens. Falls back to the input rate if unset.
config.modelCatalog[].inline.providers.*.models.*.tiers[].rates.outputAudiostringCost per 1M output audio tokens. Falls back to the output rate if unset.
config.databaseobjectPrimary database used by local runtime features.
config.database.urlstringConnection URL for the request log database. A postgres:// or postgresql:// URL uses Postgres; any other value is treated as a SQLite database.
config.caAddressstringAddress of the Certificate Authority used to issue SPIFFE certificates.
config.caAuthTokenstringAuthentication token for communicating with the Certificate Authority.
config.xdsAddressstringAddress of the xDS control plane used for dynamic configuration.
config.xdsAuthTokenstringAuthentication token for communicating with the xDS control plane.
config.namespacestringKubernetes namespace for this gateway instance.
config.gatewaystringName of this gateway. Required when xDS is configured.
config.trustDomainstringSPIFFE trust domain for this gateway.
config.additionalTrustDomainsstringComma-separated list of additional SPIFFE trust domains accepted on inbound HBONE
connections. The local trust_domain is always implicitly included.
config.skipValidateTrustDomainbooleanWhen true, skip SPIFFE trust-domain verification on inbound HBONE connections.
config.serviceAccountstringKubernetes service account for this gateway, used in its SPIFFE identity.
config.clusterIdstringIdentifier for the cluster this gateway runs in. Defaults to “Kubernetes”.
config.networkstringNetwork name for this gateway, used for locality-aware routing.
config.adminAddrstringAdmin UI address in the format “ip:port”, “localhost:port”, “unix:/path/to/socket”, or “off”
config.standardAttributesobjectStandard request log attributes populated for database-backed local runtime features.
config.standardAttributes.userstringCEL expression used to populate the agentgateway.user request log attribute.
config.standardAttributes.groupstringCEL expression used to populate the agentgateway.group request log attribute.
config.statsAddrstringStats/metrics server address in the format “ip:port”, “localhost:port”, “unix:/path/to/socket”, or “off”
config.readinessAddrstringReadiness probe server address in the format “ip:port”, “localhost:port”, “unix:/path/to/socket”, or “off”
config.sessionobjectConfiguration for stateful session management
config.session.keystringThe AES-256-GCM session protection key to be used for session tokens.
If not set, sessions will not be encrypted.
For example, generated via openssl rand -hex 32.
`config`configconfig.customFunctions
config.connectionTerminationDeadlinestringMaximum time to wait for connections to close gracefully during shutdown.
config.connectionMinTerminationDeadlinestringMinimum time to allow for graceful connection termination. Defaults to zero.
config.workerThreadsstringNumber of worker threads for the async runtime. Accepts a number or a string such as “auto”.
config.tracingobjectDistributed tracing configuration.
config.tracing.otlpEndpointstringOTLP collector endpoint URL for exporting traces.
config.tracing.headersobjectHTTP headers to include on OTLP trace exports, such as authentication headers.
config.tracing.otlpProtocolenumOTLP transport protocol: grpc or http.
Possible values: grpc, http.
config.tracing.fieldsobjectCustom fields to add to or remove from trace spans.
config.tracing.fields.remove[]stringField names to remove from log entries.
config.tracing.fields.addobjectMap of field name to a CEL expression that computes the value to add to logs.
config.tracing.randomSamplingstringExpression to determine the amount of random sampling.
Random sampling will initiate a new trace span if the incoming request does not have a trace already.
This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.
This defaults to ‘false’.
config.tracing.clientSamplingstringExpression to determine the amount of client sampling.
Client sampling determines whether to initiate a new trace span if the incoming request does have a trace already.
This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.
This defaults to ’true'.
config.tracing.pathstringOTLP path. Default is /v1/traces
config.loggingobjectLogging configuration, including filter, level, format, and custom fields.
config.logging.filterstringCEL expression that selects which requests are logged.
config.logging.fieldsobjectCustom fields to add to or remove from log entries.
config.logging.fields.remove[]stringField names to remove from log entries.
config.logging.fields.addobjectMap of field name to a CEL expression that computes the value to add to logs.
config.logging.levelstringLog level: a single level (e.g. info), a comma-separated string of per-module levels (e.g. info,agent_core=trace), or a list of per-module levels (e.g. [info, agent_core=trace]).
config.logging.formatenumLog output format: text or json.
Possible values: text, json, null.
config.logging.databaseobjectLog-store database configuration; enables request logging to a database backend.
config.logging.database.urlstringConnection URL for the request log database. A postgres:// or postgresql:// URL uses Postgres; any other value is treated as a SQLite database.
config.metricsobjectMetrics configuration, including metric removal and custom fields.
config.metrics.remove[]stringMetric names to exclude from collection.
config.metrics.fieldsobjectCustom fields to add to all metrics.
config.metrics.fields.addobjectMap of field name to a CEL expression that computes the value to add to metrics.
config.backendobjectConfiguration for upstream connections, including keepalives, timeouts, and pooling.
config.backend.keepalivesobjectTCP keepalive configuration for upstream connections.
config.backend.keepalives.enabledbooleanEnable TCP keepalive probes on backend connections. Defaults to true.
config.backend.keepalives.timestringIdle time before the first keepalive probe is sent.
config.backend.keepalives.intervalstringTime between successive keepalive probes.
config.backend.keepalives.retriesintegerNumber of unacknowledged probes before the connection is considered dead.
config.backend.connectTimeoutstringMaximum time to wait when establishing a connection to an upstream. Defaults to 10 seconds.
config.backend.poolIdleTimeoutstringThe maximum duration to keep an idle connection alive.
config.backend.poolMaxSizeintegerThe maximum number of connections allowed in the pool, per hostname. If set, this will limit
the total number of connections kept alive to any given host.
Note: excess connections will still be created, they will just not remain idle.
If unset, there is no limit
config.hboneobjectHBONE (HTTP/2 CONNECT tunnel) protocol configuration.
config.hbone.windowSizeintegerHTTP/2 per-stream flow-control window size in bytes. Defaults to 4 MiB.
config.hbone.connectionWindowSizeintegerHTTP/2 connection-level flow-control window size in bytes. Defaults to 16 MiB.
config.hbone.frameSizeintegerHTTP/2 maximum frame size in bytes. Defaults to 1 MiB.
config.hbone.poolMaxStreamsPerConnintegerMaximum concurrent streams per pooled connection. Defaults to 100.
config.hbone.poolUnusedReleaseTimeoutstringDuration after which unused pooled connections are released.
gateways.*.portintegerport is the port to listen on for this gateway.
gateways.*.protocolenumprotocol controls whether this gateway accepts HTTP/HTTPS routes or TCP/TLS routes. When omitted, gateways
default to HTTP, or HTTPS when tls is set.
Possible values: HTTP, HTTPS, TCP, TLS, null.
gateways.*.listeners[]objectlisteners defines multiple named listeners under this gateway. When set, only port may be configured on the top level gateway.
gateways.*.listeners[].namestringname identifies this listener for gateway references like gateways: gateway-name/listener-name.
gateways.*.listeners[].hostnamestringHostname defines what hostnames are served under this listener. Can be a wildcard.
This allows serving multiple domains with different TLS configurations.
If unset, all domains will be served (implicit wildcard).
gateways.*.listeners[].protocolenumprotocol controls whether this listener accepts HTTP/HTTPS routes or TCP/TLS routes. When omitted, listeners
default to HTTP, or HTTPS when tls is set.
Possible values: HTTP, HTTPS, TCP, TLS, null.
gateways.*.listeners[].tlsobjecttls enables HTTPS for this listener.
gateways.*.listeners[].tls.modeenumCertificate source mode. Static mode uses cert/key as the leaf certificate; dynamic CA
mode uses cert/key as a CA for on-demand SNI leaf certificate issuance.
Possible values: static, dynamicCa.
gateways.*.listeners[].tls.certstringPath to the TLS certificate file (leaf certificate, or CA certificate in dynamic CA mode).
gateways.*.listeners[].tls.keystringPath to the TLS private key file.
gateways.*.listeners[].tls.rootstringPath to a root CA certificate file used to validate client certificates.
gateways.*.listeners[].tls.cipherSuites[]stringOptional cipher suite allowlist (order is preserved).
gateways.*.listeners[].tls.minTLSVersionenumMinimum supported TLS version (only TLS 1.2 and 1.3 are supported).
Possible values: TLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3, null.
gateways.*.listeners[].tls.minTlsVersionenumMinimum supported TLS version (only TLS 1.2 and 1.3 are supported).
Possible values: TLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3, null.
gateways.*.listeners[].tls.maxTLSVersionenumMaximum supported TLS version (only TLS 1.2 and 1.3 are supported).
Possible values: TLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3, null.
gateways.*.listeners[].tls.maxTlsVersionenumMaximum supported TLS version (only TLS 1.2 and 1.3 are supported).
Possible values: TLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3, null.
gateways.*.listeners[].tls.keyExchangeGroups[]stringKey exchange groups allowed for negotiating TLS.
gateways.*.listeners[].oidcobjectAuthenticate browser requests with OIDC authorization code flow.
gateways.*.listeners[].oidc.issuerstringIssuer used for discovery and ID token validation.
gateways.*.listeners[].oidc.discoveryobjectOptional discovery document override. If omitted, discovery uses
${issuer}/.well-known/openid-configuration.
gateways.*.listeners[].oidc.discovery.filestringPath to a file on disk to load the value from.
gateways.*.listeners[].oidc.discovery.urlstring
gateways.*.listeners[].oidc.authorizationEndpointstringAuthorization endpoint used to start the browser login flow.
gateways.*.listeners[].oidc.tokenEndpointstringToken endpoint used to exchange the authorization code.
gateways.*.listeners[].oidc.tokenEndpointAuthenumToken endpoint client authentication method for explicit provider configuration.

Discovery mode derives this from provider metadata. Explicit mode defaults to
clientSecretBasic when omitted.
Possible values: clientSecretBasic, clientSecretPost, null.
gateways.*.listeners[].oidc.jwksobjectJWKS source used to validate returned ID tokens.
gateways.*.listeners[].oidc.jwks.filestringPath to a file on disk to load the value from.
gateways.*.listeners[].oidc.jwks.urlstring
gateways.*.listeners[].oidc.clientIdstringOAuth2 client identifier used for authorization and token exchange.
gateways.*.listeners[].oidc.clientSecretstringOAuth2 client secret used for token exchange.
gateways.*.listeners[].oidc.redirectURIstringAbsolute callback URI handled by the gateway.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
gateways.*.listeners[].oidc.scopes[]stringAdditional OAuth2 scopes to request. openid is always included.
gateways.*.listeners[].jwtAuthobjectAuthenticate incoming requests with JWT bearer tokens.
gateways.*.listeners[].jwtAuth.modeenumControls whether requests must include a JWT and how validation failures are handled.
Possible values: strict, optional, permissive.
gateways.*.listeners[].jwtAuth.locationobjectWhere to read the JWT from in incoming requests.
Exactly one of header, queryParameter, cookie, or expression may be set.
gateways.*.listeners[].jwtAuth.location.headerobjectRead the credential from an HTTP header.
gateways.*.listeners[].jwtAuth.location.header.namestringHeader name containing the credential.
gateways.*.listeners[].jwtAuth.location.header.prefixstringPrefix to remove from the header value before validation, such as Bearer or Basic .
gateways.*.listeners[].jwtAuth.location.queryParameterobjectRead the credential from a URL query parameter.
gateways.*.listeners[].jwtAuth.location.queryParameter.namestringQuery parameter name containing the credential.
gateways.*.listeners[].jwtAuth.location.cookieobjectRead the credential from a request cookie.
gateways.*.listeners[].jwtAuth.location.cookie.namestringCookie name containing the credential.
gateways.*.listeners[].jwtAuth.location.expressionstringRead the credential from a CEL expression evaluated against the incoming request.
CEL expression that returns the credential string. This location can extract credentials but cannot insert them.
gateways.*.listeners[].jwtAuth.providers[]objectTrusted issuers and their signing keys.
gateways.*.listeners[].jwtAuth.providers[].issuerstringExpected token issuer, matched against the JWT iss claim.
gateways.*.listeners[].jwtAuth.providers[].audiences[]stringAccepted token audiences, matched against the JWT aud claim when set.
gateways.*.listeners[].jwtAuth.providers[].jwksobjectJSON Web Key Set used to verify token signatures. Can be inline, from a file, or fetched remotely.
gateways.*.listeners[].jwtAuth.providers[].jwks.filestringPath to a file on disk to load the value from.
gateways.*.listeners[].jwtAuth.providers[].jwks.urlstring
gateways.*.listeners[].jwtAuth.providers[].jwtValidationOptionsobjectClaim requirements to enforce after the token signature is verified.
gateways.*.listeners[].jwtAuth.providers[].jwtValidationOptions.requiredClaims[]stringClaims that must be present in the token before validation.
Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others
(including “iat” and “jti”) are ignored.
Defaults to [“exp”]. Use an empty list to require no claims.
gateways.*.listeners[].jwtAuth.issuerstringExpected token issuer, matched against the JWT iss claim.
gateways.*.listeners[].jwtAuth.audiences[]stringAccepted token audiences, matched against the JWT aud claim when set.
gateways.*.listeners[].jwtAuth.jwksobjectJSON Web Key Set used to verify token signatures. Can be inline, from a file, or fetched remotely.
gateways.*.listeners[].jwtAuth.jwks.filestringPath to a file on disk to load the value from.
gateways.*.listeners[].jwtAuth.jwks.urlstring
gateways.*.listeners[].jwtAuth.jwtValidationOptionsobjectClaim requirements to enforce after the token signature is verified.
gateways.*.listeners[].jwtAuth.jwtValidationOptions.requiredClaims[]stringClaims that must be present in the token before validation.
Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others
(including “iat” and “jti”) are ignored.
Defaults to [“exp”]. Use an empty list to require no claims.
gateways.*.listeners[].authorizationobjectAuthorization rules for incoming HTTP requests.
gateways.*.listeners[].authorization.rules[]objectCEL authorization rules to evaluate for a request.
gateways.*.listeners[].authorization.rules[].allowstringAllow the request when this CEL expression is true.
gateways.*.listeners[].authorization.rules[].denystringDeny the request when this CEL expression is true.
gateways.*.listeners[].authorization.rules[].requirestringRequire this CEL expression to be true.
gateways.*.listeners[].extAuthzobjectAuthorize incoming requests by calling an external authorization service.
gateways.*.listeners[].extAuthz.conditional[]objectconditional policy entries. An entry without a condition must be the final fallback.
gateways.*.listeners[].extAuthz.conditional[].serviceobjectService reference. Service must be defined in the top level
gateways.*.listeners[].extAuthz.conditional[].hoststringHostname or IP address
gateways.*.listeners[].extAuthz.conditional[].backendstringExplicit backend reference. Backend must be defined in the top level
`gateways.*.listeners[].extAuthz.conditional[]`gateways.*.listeners[].extAuthz.conditional[]`gateways.*.listeners[].extAuthz.conditional[]
gateways.*.listeners[].extAuthz.conditional[].protocol.grpcobjectCall the authorization service using the gRPC authorization protocol.
gateways.*.listeners[].extAuthz.conditional[].protocol.grpc.contextobjectStatic context values to send to the authorization service.
Maps to the context_extensions field in the request.
gateways.*.listeners[].extAuthz.conditional[].protocol.grpc.metadataobjectMetadata values to send to the authorization service, computed from CEL expressions.
Maps to the metadata_context.filter_metadata field in the request.
If unset, envoy.filters.http.jwt_authn is set when JWT auth is also used, for compatibility.
gateways.*.listeners[].extAuthz.conditional[].protocol.httpobjectCall the authorization service using HTTP.
gateways.*.listeners[].extAuthz.conditional[].protocol.http.pathstringCEL expression that computes the authorization request path.
gateways.*.listeners[].extAuthz.conditional[].protocol.http.redirectstringCEL expression that computes a redirect URL when authorization fails.
When the authorization service returns unauthorized, this redirects instead of returning the error directly.
gateways.*.listeners[].extAuthz.conditional[].protocol.http.bodystringCEL expression that computes the authorization request body.
Strings and bytes are used directly; other values are JSON-encoded.
If set, this replaces forwarding the incoming request body.
gateways.*.listeners[].extAuthz.conditional[].protocol.http.includeResponseHeaders[]stringAuthorization response headers to copy into the backend request.
gateways.*.listeners[].extAuthz.conditional[].protocol.http.addRequestHeadersobjectHeaders to add to the authorization request using CEL expressions. Empty means all headers.
gateways.*.listeners[].extAuthz.conditional[].protocol.http.metadataobjectMetadata values to expose under the extauthz variable after authorization.
gateways.*.listeners[].extAuthz.conditional[].failureModeobjectBehavior when the authorization service is unavailable or returns an error.
gateways.*.listeners[].extAuthz.conditional[].failureMode.denyWithStatusintegerDeny the request with the configured HTTP status code.
gateways.*.listeners[].extAuthz.conditional[].includeRequestHeaders[]stringRequest headers to send to the authorization service.
If unset, gRPC sends all request headers and HTTP sends only Authorization.
gateways.*.listeners[].extAuthz.conditional[].includeRequestBodyobjectOptions for sending the request body to the authorization service.
gateways.*.listeners[].extAuthz.conditional[].includeRequestBody.maxRequestBytesintegerMaximum request body size to send to the authorization service. Defaults to 8192 bytes.
gateways.*.listeners[].extAuthz.conditional[].includeRequestBody.allowPartialMessagebooleanWhether to send a partial body when the request exceeds maxRequestBytes.
gateways.*.listeners[].extAuthz.conditional[].includeRequestBody.packAsBytesbooleanWhether to send the body as raw bytes for gRPC authorization checks.
gateways.*.listeners[].extAuthz.conditional[].cacheobjectCache authorization results using CEL expressions as the cache key.
Warning: the safety of this feature depends on the cache key accurately capturing the fields
the server operates on. For example, if you return a different result based on header A but only
cache header B, users may get incorrect cache hits.
gateways.*.listeners[].extAuthz.conditional[].cache.key[]stringCEL expressions that make up the cache key. Empty keys are accepted, but do not produce cache hits.
gateways.*.listeners[].extAuthz.conditional[].cache.ttlstringCEL expression that returns how long cached authorization results are reused.
The expression is evaluated after the authorization response has been applied
to the request, and must return either a duration or timestamp.
gateways.*.listeners[].extAuthz.conditional[].cache.maxEntriesintegerMaximum number of authorization results to keep in the cache.
gateways.*.listeners[].extAuthz.serviceobjectService reference. Service must be defined in the top level
gateways.*.listeners[].extAuthz.hoststringHostname or IP address
gateways.*.listeners[].extAuthz.backendstringExplicit backend reference. Backend must be defined in the top level
gateways.*.listeners[].extAuthz.protocol.grpcobjectCall the authorization service using the gRPC authorization protocol.
gateways.*.listeners[].extAuthz.protocol.grpc.contextobjectStatic context values to send to the authorization service.
Maps to the context_extensions field in the request.
gateways.*.listeners[].extAuthz.protocol.grpc.metadataobjectMetadata values to send to the authorization service, computed from CEL expressions.
Maps to the metadata_context.filter_metadata field in the request.
If unset, envoy.filters.http.jwt_authn is set when JWT auth is also used, for compatibility.
gateways.*.listeners[].extAuthz.protocol.httpobjectCall the authorization service using HTTP.
gateways.*.listeners[].extAuthz.protocol.http.pathstringCEL expression that computes the authorization request path.
gateways.*.listeners[].extAuthz.protocol.http.redirectstringCEL expression that computes a redirect URL when authorization fails.
When the authorization service returns unauthorized, this redirects instead of returning the error directly.
gateways.*.listeners[].extAuthz.protocol.http.bodystringCEL expression that computes the authorization request body.
Strings and bytes are used directly; other values are JSON-encoded.
If set, this replaces forwarding the incoming request body.
gateways.*.listeners[].extAuthz.protocol.http.includeResponseHeaders[]stringAuthorization response headers to copy into the backend request.
gateways.*.listeners[].extAuthz.protocol.http.addRequestHeadersobjectHeaders to add to the authorization request using CEL expressions. Empty means all headers.
gateways.*.listeners[].extAuthz.protocol.http.metadataobjectMetadata values to expose under the extauthz variable after authorization.
gateways.*.listeners[].extAuthz.failureModeobjectBehavior when the authorization service is unavailable or returns an error.
gateways.*.listeners[].extAuthz.failureMode.denyWithStatusintegerDeny the request with the configured HTTP status code.
gateways.*.listeners[].extAuthz.includeRequestHeaders[]stringRequest headers to send to the authorization service.
If unset, gRPC sends all request headers and HTTP sends only Authorization.
gateways.*.listeners[].extAuthz.includeRequestBodyobjectOptions for sending the request body to the authorization service.
gateways.*.listeners[].extAuthz.includeRequestBody.maxRequestBytesintegerMaximum request body size to send to the authorization service. Defaults to 8192 bytes.
gateways.*.listeners[].extAuthz.includeRequestBody.allowPartialMessagebooleanWhether to send a partial body when the request exceeds maxRequestBytes.
gateways.*.listeners[].extAuthz.includeRequestBody.packAsBytesbooleanWhether to send the body as raw bytes for gRPC authorization checks.
gateways.*.listeners[].extAuthz.cacheobjectCache authorization results using CEL expressions as the cache key.
Warning: the safety of this feature depends on the cache key accurately capturing the fields
the server operates on. For example, if you return a different result based on header A but only
cache header B, users may get incorrect cache hits.
gateways.*.listeners[].extAuthz.cache.key[]stringCEL expressions that make up the cache key. Empty keys are accepted, but do not produce cache hits.
gateways.*.listeners[].extAuthz.cache.ttlstringCEL expression that returns how long cached authorization results are reused.
The expression is evaluated after the authorization response has been applied
to the request, and must return either a duration or timestamp.
gateways.*.listeners[].extAuthz.cache.maxEntriesintegerMaximum number of authorization results to keep in the cache.
gateways.*.listeners[].extProcobjectSend request and response data to an external processing service.
gateways.*.listeners[].extProc.conditional[]objectconditional policy entries. An entry without a condition must be the final fallback.
gateways.*.listeners[].extProc.conditional[].serviceobjectService reference. Service must be defined in the top level
gateways.*.listeners[].extProc.conditional[].hoststringHostname or IP address
gateways.*.listeners[].extProc.conditional[].backendstringExplicit backend reference. Backend must be defined in the top level
`gateways.*.listeners[].extProc.conditional[]`gateways.*.listeners[].extProc.conditional[]`gateways.*.listeners[].extProc.conditional[]
gateways.*.listeners[].extProc.conditional[].metadataContextobjectAdditional metadata to send to the external processing service.
Maps to the metadata_context.filter_metadata field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.listeners[].extProc.conditional[].requestAttributesobjectMaps to the request attributes field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.listeners[].extProc.conditional[].responseAttributesobjectMaps to the response attributes field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.listeners[].extProc.conditional[].processingOptionsobjectControls which request and response parts are sent to the external processing service.
gateways.*.listeners[].extProc.conditional[].processingOptions.requestBodyModeenumHow request bodies are sent to the external processing service.
Possible values: none, buffered, bufferedPartial, fullDuplexStreamed.
gateways.*.listeners[].extProc.conditional[].processingOptions.responseBodyModeenumHow response bodies are sent to the external processing service.
Possible values: none, buffered, bufferedPartial, fullDuplexStreamed.
gateways.*.listeners[].extProc.conditional[].processingOptions.requestHeaderModeenumWhether request headers are sent to the external processing service.
Possible values: send, skip.
gateways.*.listeners[].extProc.conditional[].processingOptions.responseHeaderModeenumWhether response headers are sent to the external processing service.
Possible values: send, skip.
gateways.*.listeners[].extProc.conditional[].processingOptions.requestTrailerModeenumWhether request trailers are sent to the external processing service.
Possible values: send, skip.
gateways.*.listeners[].extProc.conditional[].processingOptions.responseTrailerModeenumWhether response trailers are sent to the external processing service.
Possible values: send, skip.
gateways.*.listeners[].extProc.conditional[].processingOptions.allowModeOverridebooleanWhether the external processing service can change processing modes during a request.
gateways.*.listeners[].extProc.serviceobjectService reference. Service must be defined in the top level
gateways.*.listeners[].extProc.hoststringHostname or IP address
gateways.*.listeners[].extProc.backendstringExplicit backend reference. Backend must be defined in the top level
gateways.*.listeners[].extProc.metadataContextobjectAdditional metadata to send to the external processing service.
Maps to the metadata_context.filter_metadata field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.listeners[].extProc.requestAttributesobjectMaps to the request attributes field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.listeners[].extProc.responseAttributesobjectMaps to the response attributes field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.listeners[].extProc.processingOptionsobjectControls which request and response parts are sent to the external processing service.
gateways.*.listeners[].extProc.processingOptions.requestBodyModeenumHow request bodies are sent to the external processing service.
Possible values: none, buffered, bufferedPartial, fullDuplexStreamed.
gateways.*.listeners[].extProc.processingOptions.responseBodyModeenumHow response bodies are sent to the external processing service.
Possible values: none, buffered, bufferedPartial, fullDuplexStreamed.
gateways.*.listeners[].extProc.processingOptions.requestHeaderModeenumWhether request headers are sent to the external processing service.
Possible values: send, skip.
gateways.*.listeners[].extProc.processingOptions.responseHeaderModeenumWhether response headers are sent to the external processing service.
Possible values: send, skip.
gateways.*.listeners[].extProc.processingOptions.requestTrailerModeenumWhether request trailers are sent to the external processing service.
Possible values: send, skip.
gateways.*.listeners[].extProc.processingOptions.responseTrailerModeenumWhether response trailers are sent to the external processing service.
Possible values: send, skip.
gateways.*.listeners[].extProc.processingOptions.allowModeOverridebooleanWhether the external processing service can change processing modes during a request.
gateways.*.listeners[].corsobjectHandle CORS preflight requests and append configured CORS headers to applicable requests.
gateways.*.listeners[].cors.allowCredentialsbooleanAdd Access-Control-Allow-Credentials: true on allowed CORS responses.
gateways.*.listeners[].cors.allowHeaders[]stringValues to return in Access-Control-Allow-Headers for allowed preflight requests.
gateways.*.listeners[].cors.allowMethods[]stringValues to return in Access-Control-Allow-Methods for allowed preflight requests.
gateways.*.listeners[].cors.allowOrigins[]stringRequest origins that receive CORS response headers. Use * to match any origin.
gateways.*.listeners[].cors.exposeHeaders[]stringValues to return in Access-Control-Expose-Headers for allowed CORS responses.
gateways.*.listeners[].cors.maxAgestringValue to return in Access-Control-Max-Age for allowed preflight requests.
gateways.*.listeners[].transformationsobjectModify request and response headers, bodies, or metadata.
gateways.*.listeners[].transformations.conditional[]objectconditional policy entries. An entry without a condition must be the final fallback.
gateways.*.listeners[].transformations.conditional[].conditionstringcondition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
gateways.*.listeners[].transformations.conditional[].requestobjectTransform the request before it is forwarded.
gateways.*.listeners[].transformations.conditional[].request.addobjectHeaders to append using CEL expressions for values.
gateways.*.listeners[].transformations.conditional[].request.setobjectHeaders to set using CEL expressions for values.
gateways.*.listeners[].transformations.conditional[].request.remove[]stringHeader names to remove.
gateways.*.listeners[].transformations.conditional[].request.bodystringCEL expression that computes a replacement body.
gateways.*.listeners[].transformations.conditional[].request.metadataobjectMetadata values to add using CEL expressions.
gateways.*.listeners[].transformations.conditional[].responseobjectTransform the response before it is returned.
gateways.*.listeners[].transformations.conditional[].response.addobjectHeaders to append using CEL expressions for values.
gateways.*.listeners[].transformations.conditional[].response.setobjectHeaders to set using CEL expressions for values.
gateways.*.listeners[].transformations.conditional[].response.remove[]stringHeader names to remove.
gateways.*.listeners[].transformations.conditional[].response.bodystringCEL expression that computes a replacement body.
gateways.*.listeners[].transformations.conditional[].response.metadataobjectMetadata values to add using CEL expressions.
gateways.*.listeners[].transformations.requestobjectTransform the request before it is forwarded.
gateways.*.listeners[].transformations.request.addobjectHeaders to append using CEL expressions for values.
gateways.*.listeners[].transformations.request.setobjectHeaders to set using CEL expressions for values.
gateways.*.listeners[].transformations.request.remove[]stringHeader names to remove.
gateways.*.listeners[].transformations.request.bodystringCEL expression that computes a replacement body.
gateways.*.listeners[].transformations.request.metadataobjectMetadata values to add using CEL expressions.
gateways.*.listeners[].transformations.responseobjectTransform the response before it is returned.
gateways.*.listeners[].transformations.response.addobjectHeaders to append using CEL expressions for values.
gateways.*.listeners[].transformations.response.setobjectHeaders to set using CEL expressions for values.
gateways.*.listeners[].transformations.response.remove[]stringHeader names to remove.
gateways.*.listeners[].transformations.response.bodystringCEL expression that computes a replacement body.
gateways.*.listeners[].transformations.response.metadataobjectMetadata values to add using CEL expressions.
gateways.*.listeners[].basicAuthobjectAuthenticate incoming requests with Basic Auth credentials from an htpasswd user database.
gateways.*.listeners[].basicAuth.htpasswdobjectUser database in htpasswd format. Can be inline or loaded from a file.
gateways.*.listeners[].basicAuth.htpasswd.filestringPath to a file on disk to load the value from.
gateways.*.listeners[].basicAuth.realmstringRealm shown in the WWW-Authenticate response header when credentials are missing or invalid.
gateways.*.listeners[].basicAuth.modeenumControls whether requests must include valid Basic Auth credentials.
Possible values: strict, optional.
gateways.*.listeners[].basicAuth.authorizationLocationobjectWhere to read the Basic Auth credentials from in incoming requests.
Exactly one of header, queryParameter, cookie, or expression may be set.
gateways.*.listeners[].basicAuth.authorizationLocation.headerobjectRead the credential from an HTTP header.
gateways.*.listeners[].basicAuth.authorizationLocation.header.namestringHeader name containing the credential.
gateways.*.listeners[].basicAuth.authorizationLocation.header.prefixstringPrefix to remove from the header value before validation, such as Bearer or Basic .
gateways.*.listeners[].basicAuth.authorizationLocation.queryParameterobjectRead the credential from a URL query parameter.
gateways.*.listeners[].basicAuth.authorizationLocation.queryParameter.namestringQuery parameter name containing the credential.
gateways.*.listeners[].basicAuth.authorizationLocation.cookieobjectRead the credential from a request cookie.
gateways.*.listeners[].basicAuth.authorizationLocation.cookie.namestringCookie name containing the credential.
gateways.*.listeners[].basicAuth.authorizationLocation.expressionstringRead the credential from a CEL expression evaluated against the incoming request.
CEL expression that returns the credential string. This location can extract credentials but cannot insert them.
gateways.*.listeners[].apiKeyobjectAuthenticate incoming requests with API keys.
gateways.*.listeners[].apiKey.keys[]objectAPI keys that are accepted by this policy.
gateways.*.listeners[].apiKey.keys[].keystringAPI key value to accept.
gateways.*.listeners[].apiKey.keys[].metadataanyOptional metadata attached to requests authenticated with this key.
gateways.*.listeners[].apiKey.keys[].keyHashstringSHA-256 hash of an API key value to accept, in sha256:<hex> format.
gateways.*.listeners[].apiKey.modeenumControls whether requests must include a valid API key.
Possible values: strict, optional, permissive.
gateways.*.listeners[].apiKey.locationobjectWhere to read the API key from in incoming requests.
Exactly one of header, queryParameter, cookie, or expression may be set.
gateways.*.listeners[].apiKey.location.headerobjectRead the credential from an HTTP header.
gateways.*.listeners[].apiKey.location.header.namestringHeader name containing the credential.
gateways.*.listeners[].apiKey.location.header.prefixstringPrefix to remove from the header value before validation, such as Bearer or Basic .
gateways.*.listeners[].apiKey.location.queryParameterobjectRead the credential from a URL query parameter.
gateways.*.listeners[].apiKey.location.queryParameter.namestringQuery parameter name containing the credential.
gateways.*.listeners[].apiKey.location.cookieobjectRead the credential from a request cookie.
gateways.*.listeners[].apiKey.location.cookie.namestringCookie name containing the credential.
gateways.*.listeners[].apiKey.location.expressionstringRead the credential from a CEL expression evaluated against the incoming request.
CEL expression that returns the credential string. This location can extract credentials but cannot insert them.
gateways.*.tlsobjecttls enables HTTPS for this gateway. Maybe not be set with listeners
gateways.*.tls.modeenumCertificate source mode. Static mode uses cert/key as the leaf certificate; dynamic CA
mode uses cert/key as a CA for on-demand SNI leaf certificate issuance.
Possible values: static, dynamicCa.
gateways.*.tls.certstringPath to the TLS certificate file (leaf certificate, or CA certificate in dynamic CA mode).
gateways.*.tls.keystringPath to the TLS private key file.
gateways.*.tls.rootstringPath to a root CA certificate file used to validate client certificates.
gateways.*.tls.cipherSuites[]stringOptional cipher suite allowlist (order is preserved).
gateways.*.tls.minTLSVersionenumMinimum supported TLS version (only TLS 1.2 and 1.3 are supported).
Possible values: TLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3, null.
gateways.*.tls.minTlsVersionenumMinimum supported TLS version (only TLS 1.2 and 1.3 are supported).
Possible values: TLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3, null.
gateways.*.tls.maxTLSVersionenumMaximum supported TLS version (only TLS 1.2 and 1.3 are supported).
Possible values: TLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3, null.
gateways.*.tls.maxTlsVersionenumMaximum supported TLS version (only TLS 1.2 and 1.3 are supported).
Possible values: TLS_V1_0, TLS_V1_1, TLS_V1_2, TLS_V1_3, null.
gateways.*.tls.keyExchangeGroups[]stringKey exchange groups allowed for negotiating TLS.
gateways.*.oidcobjectAuthenticate browser requests with OIDC authorization code flow.
gateways.*.oidc.issuerstringIssuer used for discovery and ID token validation.
gateways.*.oidc.discoveryobjectOptional discovery document override. If omitted, discovery uses
${issuer}/.well-known/openid-configuration.
gateways.*.oidc.discovery.filestringPath to a file on disk to load the value from.
gateways.*.oidc.discovery.urlstring
gateways.*.oidc.authorizationEndpointstringAuthorization endpoint used to start the browser login flow.
gateways.*.oidc.tokenEndpointstringToken endpoint used to exchange the authorization code.
gateways.*.oidc.tokenEndpointAuthenumToken endpoint client authentication method for explicit provider configuration.

Discovery mode derives this from provider metadata. Explicit mode defaults to
clientSecretBasic when omitted.
Possible values: clientSecretBasic, clientSecretPost, null.
gateways.*.oidc.jwksobjectJWKS source used to validate returned ID tokens.
gateways.*.oidc.jwks.filestringPath to a file on disk to load the value from.
gateways.*.oidc.jwks.urlstring
gateways.*.oidc.clientIdstringOAuth2 client identifier used for authorization and token exchange.
gateways.*.oidc.clientSecretstringOAuth2 client secret used for token exchange.
gateways.*.oidc.redirectURIstringAbsolute callback URI handled by the gateway.
This policy always redirects unauthenticated non-callback requests back through this login
flow.
gateways.*.oidc.scopes[]stringAdditional OAuth2 scopes to request. openid is always included.
gateways.*.jwtAuthobjectAuthenticate incoming requests with JWT bearer tokens.
gateways.*.jwtAuth.modeenumControls whether requests must include a JWT and how validation failures are handled.
Possible values: strict, optional, permissive.
gateways.*.jwtAuth.locationobjectWhere to read the JWT from in incoming requests.
Exactly one of header, queryParameter, cookie, or expression may be set.
gateways.*.jwtAuth.location.headerobjectRead the credential from an HTTP header.
gateways.*.jwtAuth.location.header.namestringHeader name containing the credential.
gateways.*.jwtAuth.location.header.prefixstringPrefix to remove from the header value before validation, such as Bearer or Basic .
gateways.*.jwtAuth.location.queryParameterobjectRead the credential from a URL query parameter.
gateways.*.jwtAuth.location.queryParameter.namestringQuery parameter name containing the credential.
gateways.*.jwtAuth.location.cookieobjectRead the credential from a request cookie.
gateways.*.jwtAuth.location.cookie.namestringCookie name containing the credential.
gateways.*.jwtAuth.location.expressionstringRead the credential from a CEL expression evaluated against the incoming request.
CEL expression that returns the credential string. This location can extract credentials but cannot insert them.
gateways.*.jwtAuth.providers[]objectTrusted issuers and their signing keys.
gateways.*.jwtAuth.providers[].issuerstringExpected token issuer, matched against the JWT iss claim.
gateways.*.jwtAuth.providers[].audiences[]stringAccepted token audiences, matched against the JWT aud claim when set.
gateways.*.jwtAuth.providers[].jwksobjectJSON Web Key Set used to verify token signatures. Can be inline, from a file, or fetched remotely.
gateways.*.jwtAuth.providers[].jwks.filestringPath to a file on disk to load the value from.
gateways.*.jwtAuth.providers[].jwks.urlstring
gateways.*.jwtAuth.providers[].jwtValidationOptionsobjectClaim requirements to enforce after the token signature is verified.
gateways.*.jwtAuth.providers[].jwtValidationOptions.requiredClaims[]stringClaims that must be present in the token before validation.
Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others
(including “iat” and “jti”) are ignored.
Defaults to [“exp”]. Use an empty list to require no claims.
gateways.*.jwtAuth.issuerstringExpected token issuer, matched against the JWT iss claim.
gateways.*.jwtAuth.audiences[]stringAccepted token audiences, matched against the JWT aud claim when set.
gateways.*.jwtAuth.jwksobjectJSON Web Key Set used to verify token signatures. Can be inline, from a file, or fetched remotely.
gateways.*.jwtAuth.jwks.filestringPath to a file on disk to load the value from.
gateways.*.jwtAuth.jwks.urlstring
gateways.*.jwtAuth.jwtValidationOptionsobjectClaim requirements to enforce after the token signature is verified.
gateways.*.jwtAuth.jwtValidationOptions.requiredClaims[]stringClaims that must be present in the token before validation.
Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others
(including “iat” and “jti”) are ignored.
Defaults to [“exp”]. Use an empty list to require no claims.
gateways.*.authorizationobjectAuthorization rules for incoming HTTP requests.
gateways.*.authorization.rules[]objectCEL authorization rules to evaluate for a request.
gateways.*.authorization.rules[].allowstringAllow the request when this CEL expression is true.
gateways.*.authorization.rules[].denystringDeny the request when this CEL expression is true.
gateways.*.authorization.rules[].requirestringRequire this CEL expression to be true.
gateways.*.extAuthzobjectAuthorize incoming requests by calling an external authorization service.
gateways.*.extAuthz.conditional[]objectconditional policy entries. An entry without a condition must be the final fallback.
gateways.*.extAuthz.conditional[].serviceobjectService reference. Service must be defined in the top level
gateways.*.extAuthz.conditional[].hoststringHostname or IP address
gateways.*.extAuthz.conditional[].backendstringExplicit backend reference. Backend must be defined in the top level
`gateways.*.extAuthz.conditional[]`gateways.*.extAuthz.conditional[]`gateways.*.extAuthz.conditional[]
gateways.*.extAuthz.conditional[].protocol.grpcobjectCall the authorization service using the gRPC authorization protocol.
gateways.*.extAuthz.conditional[].protocol.grpc.contextobjectStatic context values to send to the authorization service.
Maps to the context_extensions field in the request.
gateways.*.extAuthz.conditional[].protocol.grpc.metadataobjectMetadata values to send to the authorization service, computed from CEL expressions.
Maps to the metadata_context.filter_metadata field in the request.
If unset, envoy.filters.http.jwt_authn is set when JWT auth is also used, for compatibility.
gateways.*.extAuthz.conditional[].protocol.httpobjectCall the authorization service using HTTP.
gateways.*.extAuthz.conditional[].protocol.http.pathstringCEL expression that computes the authorization request path.
gateways.*.extAuthz.conditional[].protocol.http.redirectstringCEL expression that computes a redirect URL when authorization fails.
When the authorization service returns unauthorized, this redirects instead of returning the error directly.
gateways.*.extAuthz.conditional[].protocol.http.bodystringCEL expression that computes the authorization request body.
Strings and bytes are used directly; other values are JSON-encoded.
If set, this replaces forwarding the incoming request body.
gateways.*.extAuthz.conditional[].protocol.http.includeResponseHeaders[]stringAuthorization response headers to copy into the backend request.
gateways.*.extAuthz.conditional[].protocol.http.addRequestHeadersobjectHeaders to add to the authorization request using CEL expressions. Empty means all headers.
gateways.*.extAuthz.conditional[].protocol.http.metadataobjectMetadata values to expose under the extauthz variable after authorization.
gateways.*.extAuthz.conditional[].failureModeobjectBehavior when the authorization service is unavailable or returns an error.
gateways.*.extAuthz.conditional[].failureMode.denyWithStatusintegerDeny the request with the configured HTTP status code.
gateways.*.extAuthz.conditional[].includeRequestHeaders[]stringRequest headers to send to the authorization service.
If unset, gRPC sends all request headers and HTTP sends only Authorization.
gateways.*.extAuthz.conditional[].includeRequestBodyobjectOptions for sending the request body to the authorization service.
gateways.*.extAuthz.conditional[].includeRequestBody.maxRequestBytesintegerMaximum request body size to send to the authorization service. Defaults to 8192 bytes.
gateways.*.extAuthz.conditional[].includeRequestBody.allowPartialMessagebooleanWhether to send a partial body when the request exceeds maxRequestBytes.
gateways.*.extAuthz.conditional[].includeRequestBody.packAsBytesbooleanWhether to send the body as raw bytes for gRPC authorization checks.
gateways.*.extAuthz.conditional[].cacheobjectCache authorization results using CEL expressions as the cache key.
Warning: the safety of this feature depends on the cache key accurately capturing the fields
the server operates on. For example, if you return a different result based on header A but only
cache header B, users may get incorrect cache hits.
gateways.*.extAuthz.conditional[].cache.key[]stringCEL expressions that make up the cache key. Empty keys are accepted, but do not produce cache hits.
gateways.*.extAuthz.conditional[].cache.ttlstringCEL expression that returns how long cached authorization results are reused.
The expression is evaluated after the authorization response has been applied
to the request, and must return either a duration or timestamp.
gateways.*.extAuthz.conditional[].cache.maxEntriesintegerMaximum number of authorization results to keep in the cache.
gateways.*.extAuthz.serviceobjectService reference. Service must be defined in the top level
gateways.*.extAuthz.hoststringHostname or IP address
gateways.*.extAuthz.backendstringExplicit backend reference. Backend must be defined in the top level
gateways.*.extAuthz.protocol.grpcobjectCall the authorization service using the gRPC authorization protocol.
gateways.*.extAuthz.protocol.grpc.contextobjectStatic context values to send to the authorization service.
Maps to the context_extensions field in the request.
gateways.*.extAuthz.protocol.grpc.metadataobjectMetadata values to send to the authorization service, computed from CEL expressions.
Maps to the metadata_context.filter_metadata field in the request.
If unset, envoy.filters.http.jwt_authn is set when JWT auth is also used, for compatibility.
gateways.*.extAuthz.protocol.httpobjectCall the authorization service using HTTP.
gateways.*.extAuthz.protocol.http.pathstringCEL expression that computes the authorization request path.
gateways.*.extAuthz.protocol.http.redirectstringCEL expression that computes a redirect URL when authorization fails.
When the authorization service returns unauthorized, this redirects instead of returning the error directly.
gateways.*.extAuthz.protocol.http.bodystringCEL expression that computes the authorization request body.
Strings and bytes are used directly; other values are JSON-encoded.
If set, this replaces forwarding the incoming request body.
gateways.*.extAuthz.protocol.http.includeResponseHeaders[]stringAuthorization response headers to copy into the backend request.
gateways.*.extAuthz.protocol.http.addRequestHeadersobjectHeaders to add to the authorization request using CEL expressions. Empty means all headers.
gateways.*.extAuthz.protocol.http.metadataobjectMetadata values to expose under the extauthz variable after authorization.
gateways.*.extAuthz.failureModeobjectBehavior when the authorization service is unavailable or returns an error.
gateways.*.extAuthz.failureMode.denyWithStatusintegerDeny the request with the configured HTTP status code.
gateways.*.extAuthz.includeRequestHeaders[]stringRequest headers to send to the authorization service.
If unset, gRPC sends all request headers and HTTP sends only Authorization.
gateways.*.extAuthz.includeRequestBodyobjectOptions for sending the request body to the authorization service.
gateways.*.extAuthz.includeRequestBody.maxRequestBytesintegerMaximum request body size to send to the authorization service. Defaults to 8192 bytes.
gateways.*.extAuthz.includeRequestBody.allowPartialMessagebooleanWhether to send a partial body when the request exceeds maxRequestBytes.
gateways.*.extAuthz.includeRequestBody.packAsBytesbooleanWhether to send the body as raw bytes for gRPC authorization checks.
gateways.*.extAuthz.cacheobjectCache authorization results using CEL expressions as the cache key.
Warning: the safety of this feature depends on the cache key accurately capturing the fields
the server operates on. For example, if you return a different result based on header A but only
cache header B, users may get incorrect cache hits.
gateways.*.extAuthz.cache.key[]stringCEL expressions that make up the cache key. Empty keys are accepted, but do not produce cache hits.
gateways.*.extAuthz.cache.ttlstringCEL expression that returns how long cached authorization results are reused.
The expression is evaluated after the authorization response has been applied
to the request, and must return either a duration or timestamp.
gateways.*.extAuthz.cache.maxEntriesintegerMaximum number of authorization results to keep in the cache.
gateways.*.extProcobjectSend request and response data to an external processing service.
gateways.*.extProc.conditional[]objectconditional policy entries. An entry without a condition must be the final fallback.
gateways.*.extProc.conditional[].serviceobjectService reference. Service must be defined in the top level
gateways.*.extProc.conditional[].hoststringHostname or IP address
gateways.*.extProc.conditional[].backendstringExplicit backend reference. Backend must be defined in the top level
`gateways.*.extProc.conditional[]`gateways.*.extProc.conditional[]`gateways.*.extProc.conditional[]
gateways.*.extProc.conditional[].metadataContextobjectAdditional metadata to send to the external processing service.
Maps to the metadata_context.filter_metadata field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.extProc.conditional[].requestAttributesobjectMaps to the request attributes field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.extProc.conditional[].responseAttributesobjectMaps to the response attributes field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.extProc.conditional[].processingOptionsobjectControls which request and response parts are sent to the external processing service.
gateways.*.extProc.conditional[].processingOptions.requestBodyModeenumHow request bodies are sent to the external processing service.
Possible values: none, buffered, bufferedPartial, fullDuplexStreamed.
gateways.*.extProc.conditional[].processingOptions.responseBodyModeenumHow response bodies are sent to the external processing service.
Possible values: none, buffered, bufferedPartial, fullDuplexStreamed.
gateways.*.extProc.conditional[].processingOptions.requestHeaderModeenumWhether request headers are sent to the external processing service.
Possible values: send, skip.
gateways.*.extProc.conditional[].processingOptions.responseHeaderModeenumWhether response headers are sent to the external processing service.
Possible values: send, skip.
gateways.*.extProc.conditional[].processingOptions.requestTrailerModeenumWhether request trailers are sent to the external processing service.
Possible values: send, skip.
gateways.*.extProc.conditional[].processingOptions.responseTrailerModeenumWhether response trailers are sent to the external processing service.
Possible values: send, skip.
gateways.*.extProc.conditional[].processingOptions.allowModeOverridebooleanWhether the external processing service can change processing modes during a request.
gateways.*.extProc.serviceobjectService reference. Service must be defined in the top level
gateways.*.extProc.hoststringHostname or IP address
gateways.*.extProc.backendstringExplicit backend reference. Backend must be defined in the top level
gateways.*.extProc.metadataContextobjectAdditional metadata to send to the external processing service.
Maps to the metadata_context.filter_metadata field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.extProc.requestAttributesobjectMaps to the request attributes field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.extProc.responseAttributesobjectMaps to the response attributes field in ProcessingRequest, and allows dynamic CEL expressions.
gateways.*.extProc.processingOptionsobjectControls which request and response parts are sent to the external processing service.
gateways.*.extProc.processingOptions.requestBodyModeenumHow request bodies are sent to the external processing service.
Possible values: none, buffered, bufferedPartial, fullDuplexStreamed.
gateways.*.extProc.processingOptions.responseBodyModeenumHow response bodies are sent to the external processing service.
Possible values: none, buffered, bufferedPartial, fullDuplexStreamed.
gateways.*.extProc.processingOptions.requestHeaderModeenumWhether request headers are sent to the external processing service.
Possible values: send, skip.
gateways.*.extProc.processingOptions.responseHeaderModeenumWhether response headers are sent to the external processing service.
Possible values: send, skip.
gateways.*.extProc.processingOptions.requestTrailerModeenumWhether request trailers are sent to the external processing service.
Possible values: send, skip.
gateways.*.extProc.processingOptions.responseTrailerModeenumWhether response trailers are sent to the external processing service.
Possible values: send, skip.
gateways.*.extProc.processingOptions.allowModeOverridebooleanWhether the external processing service can change processing modes during a request.
gateways.*.corsobjectHandle CORS preflight requests and append configured CORS headers to applicable requests.
gateways.*.cors.allowCredentialsbooleanAdd Access-Control-Allow-Credentials: true on allowed CORS responses.
gateways.*.cors.allowHeaders[]stringValues to return in Access-Control-Allow-Headers for allowed preflight requests.
gateways.*.cors.allowMethods[]stringValues to return in Access-Control-Allow-Methods for allowed preflight requests.
gateways.*.cors.allowOrigins[]stringRequest origins that receive CORS response headers. Use * to match any origin.
gateways.*.cors.exposeHeaders[]stringValues to return in Access-Control-Expose-Headers for allowed CORS responses.
gateways.*.cors.maxAgestringValue to return in Access-Control-Max-Age for allowed preflight requests.
gateways.*.transformationsobjectModify request and response headers, bodies, or metadata.
gateways.*.transformations.conditional[]objectconditional policy entries. An entry without a condition must be the final fallback.
gateways.*.transformations.conditional[].conditionstringcondition must evaluate to true for this policy to execute. If unset, the policy is the fallback.
gateways.*.transformations.conditional[].requestobjectTransform the request before it is forwarded.
gateways.*.transformations.conditional[].request.addobjectHeaders to append using CEL expressions for values.
gateways.*.transformations.conditional[].request.setobjectHeaders to set using CEL expressions for values.
gateways.*.transformations.conditional[].request.remove[]stringHeader names to remove.
gateways.*.transformations.conditional[].request.bodystringCEL expression that computes a replacement body.
gateways.*.transformations.conditional[].request.metadataobjectMetadata values to add using CEL expressions.
gateways.*.transformations.conditional[].responseobjectTransform the response before it is returned.
gateways.*.transformations.conditional[].response.addobjectHeaders to append using CEL expressions for values.
gateways.*.transformations.conditional[].response.setobjectHeaders to set using CEL expressions for values.
gateways.*.transformations.conditional[].response.remove[]stringHeader names to remove.
gateways.*.transformations.conditional[].response.bodystringCEL expression that computes a replacement body.
gateways.*.transformations.conditional[].response.metadataobjectMetadata values to add using CEL expressions.
gateways.*.transformations.requestobjectTransform the request before it is forwarded.
gateways.*.transformations.request.addobjectHeaders to append using CEL expressions for values.
gateways.*.transformations.request.setobjectHeaders to set using CEL expressions for values.
gateways.*.transformations.request.remove[]stringHeader names to remove.
gateways.*.transformations.request.bodystringCEL expression that computes a replacement body.
gateways.*.transformations.request.metadataobjectMetadata values to add using CEL expressions.
gateways.*.transformations.responseobjectTransform the response before it is returned.
gateways.*.transformations.response.addobjectHeaders to append using CEL expressions for values.
gateways.*.transformations.response.setobjectHeaders to set using CEL expressions for values.
gateways.*.transformations.response.remove[]stringHeader names to remove.
gateways.*.transformations.response.bodystringCEL expression that computes a replacement body.
gateways.*.transformations.response.metadataobjectMetadata values to add using CEL expressions.
gateways.*.basicAuthobjectAuthenticate incoming requests with Basic Auth credentials from an htpasswd user database.
gateways.*.basicAuth.htpasswdobjectUser database in htpasswd format. Can be inline or loaded from a file.
gateways.*.basicAuth.htpasswd.filestringPath to a file on disk to load the value from.
gateways.*.basicAuth.realmstringRealm shown in the WWW-Authenticate response header when credentials are missing or invalid.
gateways.*.basicAuth.modeenumControls whether requests must include valid Basic Auth credentials.
Possible values: strict, optional.
gateways.*.basicAuth.authorizationLocationobjectWhere to read the Basic Auth credentials from in incoming requests.
Exactly one of header, queryParameter, cookie, or expression may be set.
gateways.*.basicAuth.authorizationLocation.headerobjectRead the credential from an HTTP header.
gateways.*.basicAuth.authorizationLocation.header.namestringHeader name containing the credential.
gateways.*.basicAuth.authorizationLocation.header.prefixstringPrefix to remove from the header value before validation, such as Bearer or Basic .
gateways.*.basicAuth.authorizationLocation.queryParameterobjectRead the credential from a URL query parameter.
gateways.*.basicAuth.authorizationLocation.queryParameter.namestringQuery parameter name containing the credential.
gateways.*.basicAuth.authorizationLocation.cookieobjectRead the credential from a request cookie.
gateways.*.basicAuth.authorizationLocation.cookie.namestringCookie name containing the credential.
gateways.*.basicAuth.authorizationLocation.expressionstringRead the credential from a CEL expression evaluated against the incoming request.
CEL expression that returns the credential string. This location can extract credentials but cannot insert them.
gateways.*.apiKeyobjectAuthenticate incoming requests with API keys.
gateways.*.apiKey.keys[]objectAPI keys that are accepted by this policy.
gateways.*.apiKey.keys[].keystringAPI key value to accept.
gateways.*.apiKey.keys[].metadataanyOptional metadata attached to requests authenticated with this key.
gateways.*.apiKey.keys[].keyHashstringSHA-256 hash of an API key value to accept, in sha256:<hex> format.
gateways.*.apiKey.modeenumControls whether requests must include a valid API key.
Possible values: strict, optional, permissive.
gateways.*.apiKey.locationobjectWhere to read the API key from in incoming requests.
Exactly one of header, queryParameter, cookie, or expression may be set.
gateways.*.apiKey.location.headerobjectRead the credential from an HTTP header.
gateways.*.apiKey.location.header.namestringHeader name containing the credential.
gateways.*.apiKey.location.header.prefixstringPrefix to remove from the header value before validation, such as Bearer or Basic .
gateways.*.apiKey.location.queryParameterobjectRead the credential from a URL query parameter.
gateways.*.apiKey.location.queryParameter.namestringQuery parameter name containing the credential.
gateways.*.apiKey.location.cookieobjectRead the credential from a request cookie.
gateways.*.apiKey.location.cookie.namestringCookie name containing the credential.
gateways.*.apiKey.location.expressionstringRead the credential from a CEL expression evaluated against the incoming request.
CEL expression that returns the credential string. This location can extract credentials but cannot insert them.
routes[]objectroutes defines HTTP routes attached to one or more named gateways.
routes[].gatewaysstringgateways attaches this route to named gateways or gateway listeners.
This can take the form of <gateway-name> or <gateway-name>/<listener-name> to attach to a specific listener within a gateway.
If unset, the ‘default’ gateway will be used.
routes[].namestringName identifying this route.
routes[].namespacestringNamespace scoping this route.
routes[].ruleNamestringSpecific rule within this route.
routes[].hostnames[]stringCan be a wildcard
routes[].matches[]objectConditions (path, method, headers, query) that select this route.
routes[].matches[].headers[]objectHTTP headers that must match for this route to apply.
routes[].matches[].headers[].namestringHTTP header or pseudo-header name (such as :method) to match.
routes[].matches[].headers[].valueobjectExact or regex pattern the header value must match.
Exactly one of exact or regex may be set.
routes[].matches[].headers[].value.exactstring
routes[].matches[].headers[].value.regexstring
routes[].matches[].pathobjectPath match rule (exact, prefix, or regex). Defaults to a “/” prefix match.
Exactly one of exact, pathPrefix, or regex may be set.
routes[].matches[].path.exactstring
routes[].matches[].path.pathPrefixstring
routes[].matches[].path.regexstring
routes[].matches[].methodstringHTTP method that must match for this route to apply.
routes[].matches[].query[]objectQuery parameters that must match for this route to apply.
routes[].matches[].query[].namestringQuery parameter name to match.
routes[].matches[].query[].valueobjectExact or regex pattern the query parameter value must match.
Exactly one of exact or regex may be set.
routes[].matches[].query[].value.exactstring
routes[].matches[].query[].value.regexstring
`routes[]`routes[]`routes[]
tcpRoutes[].gatewaysstringgateways attaches this route to named TCP/TLS gateways or gateway listeners.
This can take the form of <gateway-name> or <gateway-name>/<listener-name> to attach to a specific listener within a gateway.
If unset, the ‘default’ gateway will be used.
tcpRoutes[].namestringName identifying this route.
tcpRoutes[].namespacestringNamespace scoping this route.
tcpRoutes[].ruleNamestringSpecific rule within this route.
tcpRoutes[].hostnames[]stringCan be a wildcard
`tcpRoutes[]`tcpRoutes[]`tcpRoutes[]
`ui`ui`ui
Was this page helpful?
Agentgateway assistant

Ask me anything about agentgateway configuration, features, or usage.

Note: AI-generated content might contain errors; please verify and test all returned information.

Tip: one topic per conversation gives the best results. Use the + button in the chat header to start a new conversation.

Switching topics? Starting a new conversation improves accuracy.
↑↓ navigate select esc dismiss

What could be improved?

Your feedback helps us improve assistant answers and identify docs gaps we should fix.

Need more help? Join us on Discord: https://discord.gg/y9efgEmppm

Want to use your own agent? Add the Solo MCP server to query our docs directly. Get started here: https://search.solo.io/.