> For the complete documentation index, see [llms.txt](https://docs.kangal.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.kangal.dev/plugins/reference.md).

# Built-in plugin reference

This reference lists canonical package names and supported configuration surfaces for customer deployments. Use `GET /plugin-packages/{name}` to inspect the current JSON Schema and installed version for a tenant.

## Authentication and security

| Package                        | Trigger          | Supported `config` fields                                                                                                                                                                                                                                      | Required configuration                                                                 |
| ------------------------------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- |
| `api_key_auth`                 | `before_request` | `header_name`, `valid_keys`                                                                                                                                                                                                                                    | `valid_keys`                                                                           |
| `basic_auth`                   | `before_request` | `allowed_users`                                                                                                                                                                                                                                                | `allowed_users` entries with `username`, `password`                                    |
| `oauth2`                       | `before_request` | `client_id`, `client_secret`, `hide_credentials`, `introspection_url`, `required_scopes`, `scope_claim`, `timeout_seconds`, `token_claims`, `token_header`, `token_prefix`, `upstream_headers`, `valid_tokens`                                                 | `introspection_url` or `valid_tokens`                                                  |
| `oidc`                         | `before_request` | `algorithms`, `audience`, `hide_credentials`, `issuer`, `public_key`, `required_scopes`, `scope_claim`, `token_header`, `token_prefix`, `upstream_headers`                                                                                                     | `public_key`; configure issuer, audience, and allowed algorithms                       |
| `ldap_auth`                    | `before_request` | `header_name`, `hide_credentials`, `server_url`, `upstream_headers`, `use_ssl`, `user_dn_template`                                                                                                                                                             | `server_url`; use TLS                                                                  |
| `mtls_client_certificate_auth` | `before_request` | `allowed_common_names`, `allowed_subjects`, `header_name`, `hide_certificate_header`, `max_cert_bytes`, `require_verified_header`, `required_sans`, `trusted_ca_pems`, `trusted_fingerprints`, `upstream_headers`, `verify_header_name`, `verify_header_value` | Trusted CA/fingerprint or a verified-header policy; identity restrictions are optional |
| `session_cookie_auth`          | `before_request` | `cookie_name`, `header_name`, `hide_credentials`, `required_groups`, `required_roles`, `upstream_headers`, `valid_session_ids`, `valid_sessions`                                                                                                               | `valid_session_ids` or `valid_sessions`                                                |
| `vault_authentication`         | `before_request` | `fail_open`, `header_name`, `mode`, `prefix`, `resolved_reference_header`, `secret_ref`, `username`, `username_ref`                                                                                                                                            | `secret_ref` using `vault://...`                                                       |

## Access, traffic, and routing

| Package                 | Trigger          | Supported `config` fields                                                                                                                                                                                                                                                                                        | Required configuration or deployment note                                   |
| ----------------------- | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- |
| `rate_limiter`          | `before_request` | `day`, `error_code`, `error_message`, `fault_tolerant`, `header_name`, `hide_client_headers`, `hour`, `identifier`, `limit`, `limit_by`, `limits`, `minute`, `month`, `path`, `policy`, `scope`, `second`, `strategy`, `sync_rate`, `window_seconds`, `year`                                                     | A limit/window form; Redis-backed shared counters                           |
| `advanced_rate_limiter` | `before_request` | `cost`, `header_name`, `hide_client_headers`, `identifier`, `include_method`, `include_path`, `limit`, `limit_by`, `limits`, `namespace`, `scope`, `strategy`, `window_seconds`                                                                                                                                  | Use for single-process fixed or sliding windows                             |
| `response_rate_limiter` | `both`           | `cost`, `cost_header`, `count_statuses`, `header_name`, `hide_client_headers`, `identifier`, `include_method`, `include_path`, `limit`, `limit_by`, `namespace`, `scope`, `strategy`, `window_seconds`                                                                                                           | Use `both`; counters are local to the gateway process                       |
| `service_protection`    | `both`           | `cooldown_seconds`, `failure_rate_threshold`, `failure_status_codes`, `failure_threshold`, `failure_window_seconds`, `include_headers`, `max_concurrent_requests`, `message`, `minimum_requests`, `namespace`, `open_circuit_body`, `open_circuit_status`, `service_key`, `status_code`                          | Use `all` to include failed requests; state is local to the gateway process |
| `canary_shadow_traffic` | `before_request` | `bucket_by`, `bucket_header_name`, `bucket_header_output_name`, `bucket_key_source`, `bucket_salt`, `canary_forward_url`, `canary_header_name`, `canary_header_value`, `canary_percentage`, `canary_upstream_url`, `decision_header_name`, `decision_headers`, `header_name`, `include_decision_headers`, `seed` | Configure a canary percentage and HTTPS canary target                       |
| `ip_whitelist`          | `before_request` | `allowed_ips`                                                                                                                                                                                                                                                                                                    | `allowed_ips`                                                               |
| `ip_blacklist`          | `before_request` | `blocked_ips`                                                                                                                                                                                                                                                                                                    | `blocked_ips`                                                               |
| `acl_control`           | `before_request` | `allowed_groups`, `allowed_roles`, `allowed_tenants`, `allowed_users`                                                                                                                                                                                                                                            | Configure at least one identity restriction on protected traffic            |
| `bot_detection_basic`   | `before_request` | `allow_user_agents`, `allowed_user_agents`, `block_empty_user_agent`, `block_missing_user_agent`, `blocked_user_agents`, `case_sensitive`, `deny_user_agents`, `header_name`, `message`, `status_code`, `user_agent_allow_patterns`, `user_agent_deny_patterns`                                                  | User-Agent regular-expression policy                                        |
| `request_termination`   | `before_request` | `header_equals`, `message`, `status_code`                                                                                                                                                                                                                                                                        | `header_equals`                                                             |
| `mock_response`         | `before_request` | `body`, `enabled`, `status_code`                                                                                                                                                                                                                                                                                 | `body`                                                                      |
| `forward_proxy`         | `before_request` | `forward_url`                                                                                                                                                                                                                                                                                                    | `forward_url` using HTTP or HTTPS                                           |
| `redirect`              | `before_request` | `location`, `preserve_path`, `preserve_query`, `status_code`, `url`                                                                                                                                                                                                                                              | `url` or `location`                                                         |
| `response_cache`        | `both`           | `cache_control`, `cache_header_name`, `include_query`, `max_body_bytes`, `methods`, `namespace`, `respect_cache_control`, `statuses`, `ttl`, `ttl_seconds`, `vary_headers`                                                                                                                                       | Cache state is local to the gateway process                                 |

## Transformation

| Package                  | Trigger          | Supported `config` fields                                                                                                                                                                                           | Required configuration or note             |
| ------------------------ | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
| `response_header_setter` | `after_response` | `add`, `add_headers`, `headers`, `remove`, `remove_headers`, `rename`, `rename_headers`, `set`, `set_headers`                                                                                                       | Configure at least one header operation    |
| `body_transformer`       | `before_request` | `add_fields`, `override_fields`, `remove_fields`                                                                                                                                                                    | Top-level JSON fields                      |
| `request_transformer`    | `before_request` | `add_headers`, `add_json_fields`, `headers`, `remove_headers`, `remove_json_fields`, `rename_headers`, `replace_json_fields`, `set_headers`                                                                         | Request headers and top-level JSON fields  |
| `response_transformer`   | `after_response` | `add_headers`, `add_json_fields`, `headers`, `max_body_bytes`, `remove_headers`, `remove_json_fields`, `rename_headers`, `replace_json_fields`, `set_headers`                                                       | Response headers and top-level JSON fields |
| `json_transform`         | `both`           | `add`, `add_fields`, `content_types`, `max_body_bytes`, `operations`, `remove`, `remove_fields`, `rename`, `rename_fields`, `replace`, `replace_fields`, `set`, `strict`, `target`                                  | JSON path operations                       |
| `xml_transform`          | `both`           | `add`, `add_fields`, `content_types`, `max_body_bytes`, `operations`, `remove`, `remove_fields`, `rename`, `rename_fields`, `replace`, `replace_fields`, `set`, `set_fields`, `strict`, `target`, `xml_declaration` | XML path operations                        |
| `template_transform`     | `both`           | `content_type`, `max_body_bytes`, `parse_json`, `request_content_type`, `request_template`, `response_content_type`, `response_template`, `strict`, `target`, `template`, `templates`                               | `{{ variable.path }}` substitutions        |
| `masking_transform`      | `both`           | `content_types`, `headers`, `json_paths`, `mask`, `max_body_bytes`, `request_headers`, `request_json_paths`, `response_headers`, `response_json_paths`, `strict`, `target`                                          | Select headers or JSON paths to mask       |

## Observability

| Package              | Trigger          | Supported `config` fields                                                                                                                                                                                                                                              | Required configuration or note                             |
| -------------------- | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- |
| `correlation_id`     | `both`           | `allow_client_override`, `echo_downstream`, `echo_response`, `header_name`, `response_header_name`                                                                                                                                                                     | Configure the propagated header policy                     |
| `http_log`           | `both`           | `content_type`, `correlation_id_header`, `endpoint`, `fail_on_error`, `headers`, `http_endpoint`, `include_headers`, `method`, `request_id_header`, `timeout`                                                                                                          | `http_endpoint` or `endpoint`                              |
| `audit_event_stream` | `both`           | `action`, `audit_endpoint`, `content_type`, `correlation_id_header`, `endpoint`, `error_action`, `event_type`, `fail_on_error`, `headers`, `include_headers`, `method`, `request_id_header`, `timeout`                                                                 | `audit_endpoint` or `endpoint`                             |
| `sampling`           | `before_request` | `decision_header`, `header_name`, `include_decision_header`, `rate`, `seed`, `strategy`                                                                                                                                                                                | `rate` from `0` through `1`; run before dependent emitters |
| `datadog`            | `both`           | `api_key`, `content_type`, `correlation_id_header`, `datadog_endpoint`, `endpoint`, `env`, `fail_on_error`, `headers`, `include_headers`, `intake_url`, `method`, `metric_prefix`, `request_id_header`, `service_name`, `site`, `source`, `tags`, `timeout`, `version` | API key/site or an approved endpoint                       |
| `file_log`           | `both`           | `correlation_id_header`, `fail_on_error`, `include_headers`, `path`, `request_id_header`                                                                                                                                                                               | Local diagnostics path                                     |
| `kafka_log`          | `both`           | `acks`, `bootstrap_servers`, `client_id`, `compression_type`, `correlation_id_header`, `fail_on_error`, `flush_timeout`, `include_headers`, `kafka_headers`, `key_field`, `request_id_header`, `timeout`, `topic`                                                      | `topic`, `bootstrap_servers`                               |
| `tcp_log`            | `both`           | `correlation_id_header`, `fail_on_error`, `host`, `include_headers`, `port`, `request_id_header`, `timeout`                                                                                                                                                            | `host`, `port`                                             |
| `udp_log`            | `both`           | `correlation_id_header`, `fail_on_error`, `host`, `include_headers`, `port`, `request_id_header`, `timeout`                                                                                                                                                            | `host`, `port`                                             |
| `statsd_metrics`     | `both`           | `capture_to_state`, `dry_run`, `host`, `include_route_tags`, `namespace`, `port`, `sample_rate`, `tag_format`, `tags`, `timeout`                                                                                                                                       | `host`, `port`                                             |

## Contract and AI policies

| Package                   | Trigger          | Supported `config` fields                                                                                                                                                                                                                                                        | Required configuration or note               |
| ------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- |
| `oas_validation`          | `before_request` | `base_path`, `error_header`, `max_body_bytes`, `response_status_code`, `spec`, `status_code`, `strict`, `validate_request`, `validate_response`                                                                                                                                  | `spec`; use `both` when validating responses |
| `ai_response_guard`       | `after_response` | `action`, `block_pii`, `blocked_patterns`, `blocked_terms`, `case_sensitive`, `content_types`, `mask`, `max_body_bytes`, `message`, `pii_types`, `response_blocked_patterns`, `response_blocked_terms`, `status_code`                                                            | Configure block or mask rules                |
| `ai_proxy`                | `before_request` | `consumer_group_policies`, `consumer_policies`, `default_provider`, `guardrails`, `model_routes`, `pii_redaction`, `prompt_response_logging`, `providers`, `route_type`, `semantic_cache`, `target_selection`, `trust_consumer_headers`                                          | Provider and route policy                    |
| `ai_prompt_template`      | `before_request` | `append_messages`, `content_type`, `defaults`, `fail_on_missing_messages`, `max_prompt_chars`, `metadata`, `model`, `prepend_messages`, `status_code`, `strict_content_type`, `system_prompt`, `user_prefix`, `user_suffix`                                                      | OpenAI-compatible chat request body          |
| `ai_response_transformer` | `after_response` | `header_name`, `max_body_bytes`, `metadata`, `prefix`, `replacements`, `strict`, `suffix`                                                                                                                                                                                        | OpenAI-compatible response text fields       |
| `ai_rag_injector`         | `before_request` | `content_field`, `context_template`, `fail_open`, `headers`, `include_tenant_header`, `max_context_chars`, `position`, `query_field`, `results_path`, `retrieval_url`, `role`, `separator`, `timeout_seconds`, `top_k`                                                           | `retrieval_url`                              |
| `llm_as_judge`            | `after_response` | `action`, `allowed_verdicts`, `api_key`, `api_key_env`, `criteria`, `fail_open`, `headers`, `judge_url`, `max_body_bytes`, `minimum_score`, `model`, `score_path`, `status_code`, `timeout_seconds`, `verdict_path`                                                              | `judge_url`                                  |
| `aws_guardrails`          | `both`           | `access_key_id`, `access_key_id_env`, `action`, `endpoint_url`, `fail_open`, `guardrail_id`, `guardrail_version`, `max_body_bytes`, `qualifiers`, `region`, `secret_access_key`, `secret_access_key_env`, `session_token`, `session_token_env`, `status_code`, `timeout_seconds` | `guardrail_id`, `region`                     |

Secret values are redacted in `GET /plugins` responses. Use the installed package schema as the source for validation and keep credentials in approved secret storage.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.kangal.dev/plugins/reference.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
