API overview
Create a policy (V2)
POST /api/v2/policies
Content-Type: application/json
Create a policy attachment (V1)
POST /api/v1/policy-attachments
Content-Type: application/json
Basic request structures
CreatePolicyRequest (V2)
{
"name": "Policy name",
"className": "Policy type",
"config": "Policy configuration JSON string",
"description": "Policy description (optional)"
}
|
Field |
Type |
Required |
Description |
Constraints |
|
name |
string |
Yes |
Policy name. |
Cannot be empty. |
|
className |
string |
Yes |
Policy type. |
See the list of supported policy types. |
|
config |
string |
Yes |
The JSON string for the policy configuration. |
Provide the JSON configuration that corresponds to the policy type. |
|
description |
string |
No |
Policy description. |
Maximum 200 characters. |
CreatePolicyAttachmentRequest (V1)
{
"attachResourceId": "ResourceID1",
"attachResourceType": "Resource type",
"environmentId": "Environment ID",
"gatewayId": "Gateway ID",
"policyId": "Policy ID"
}
|
Field |
Type |
Required |
Description |
|
attachResourceId |
string |
Yes |
The list of resource IDs to attach. |
|
attachResourceType |
string |
Yes |
Resource type: Gateway, Domain, Route, LLMApi, AgentApi, Api, Operation, Service, or ServicePort. |
|
environmentId |
string |
Conditional |
The environment ID. This parameter is required for Route, Api, Operation, LLMApi, and AgentApi. |
|
gatewayId |
string |
Conditional |
The gateway ID. This parameter is required for Route, Gateway, Domain, Service, ServicePort, LLMApi, and AgentApi. |
Supported policy types
General throttling policies
-
RateLimit - Rate limiting
-
ConcurrencyLimit - Concurrency limiting
-
CircuitBreaker - Circuit breaking
-
Timeout - Timeout control
-
Retry - Retry policy
Routing and forwarding policies
-
HttpRewrite - HTTP rewrite
-
HeaderModify - Header modification
-
Redirect - Redirection
-
DirectResponse - Direct response
-
Fallback - Fallback policy
-
DynamicRoute - Dynamic routing (swimlane)
AI-related policies
-
AiStatistics - AI statistics
-
AiSecurityGuard - AI Guardrails
-
AiFallback - AI fallback
-
AiTokenRateLimit - AI token rate limiting
-
AiCache - AI cache
-
AiNetworkSearch - AI network search
-
AiToolSelection - AI tool selection
Security and authentication policies
-
Authentication - Unified authentication
-
JWTAuth - JWT authentication
-
OIDCAuth - OIDC authentication
-
ExternalZAuth - External authentication
-
Waf - Web Application Firewall
-
IpAccessControl - IP access control
Cross-domain and replication policies
-
Cors - Cross-origin resource sharing
-
FlowCopy - Traffic replication
Service administration policies
-
ServiceTls - Service TLS
-
ServiceLb - Service load balancing
-
ServicePortTls - Service port TLS
General throttling policies
RateLimit - Rate limiting
Scope: Route, Gateway, Domain, Service
Configuration:
{
"threshold": 100,
"behaviorType": 0,
"bodyEncoding": 0,
"responseStatusCode": 429,
"responseContentBody": "{\"error\":\"Too Many Requests\"}",
"responseRedirectUrl": "",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
threshold |
int |
Yes |
Rate limit threshold (requests per second). |
|
behaviorType |
int |
Yes |
Behavior type. 0: Return a response. 1: Redirect. |
|
bodyEncoding |
int |
Yes |
Response body encoding. 0: TEXT. 1: JSON. |
|
responseStatusCode |
int |
Yes |
Response status code. |
|
responseContentBody |
string |
No |
Response body content. |
|
responseRedirectUrl |
string |
No |
Redirection URL. This parameter is used when `behaviorType` is 1. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
Example call:
curl -X POST http://gateway-api/api/v2/policies \
-H "Content-Type: application/json" \
-d '{
"name": "API Rate Limit Policy",
"className": "RateLimit",
"config": "{\"threshold\":100,\"behaviorType\":0,\"bodyEncoding\":1,\"responseStatusCode\":429,\"responseContentBody\":\"{\\\"error\\\":\\\"Too Many Requests\\\"}\",\"enable\":true}",
"description": "Limits API requests to 100 per second."
}'
ConcurrencyLimit - Concurrency limiting
Scope: Route, Gateway, Domain
Configuration:
{
"maxConcurrency": 50,
"behaviorType": 0,
"bodyEncoding": 0,
"responseStatusCode": 503,
"responseContentBody": "{\"error\":\"Service Overloaded\"}",
"responseRedirectUrl": "",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
maxConcurrency |
int |
Yes |
Maximum concurrency. |
|
behaviorType |
int |
Yes |
Behavior type. 0: Return a response. 1: Redirect. |
|
bodyEncoding |
int |
Yes |
Response body encoding. 0: TEXT. 1: JSON. |
|
responseStatusCode |
int |
Yes |
Response status code when the limit is exceeded. |
|
responseContentBody |
string |
No |
Response body content when the limit is exceeded. |
|
responseRedirectUrl |
string |
No |
Redirection URL. This parameter is used when `behaviorType` is 1. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
CircuitBreaker - Circuit breaking
Scope: Route, Service
Configuration:
{
"strategy": 0,
"minRequestAmount": 10,
"maxAllowedMs": 5000,
"triggerRatio": 50,
"statDurationSec": 30,
"recoveryTimeoutSec": 30,
"responseStatusCode": 503,
"bodyEncoding": 0,
"responseContentBody": "{\"error\":\"Service Unavailable\"}",
"responseRedirectUrl": "",
"behaviorType": 0,
"enable": true
}
|
Field |
Type |
Required |
Description |
|
strategy |
int |
Yes |
Circuit breaker strategy. 0: Slow calls. 1: Abnormal responses. |
|
minRequestAmount |
int |
Yes |
Minimum number of requests. |
|
maxAllowedMs |
int |
No |
Maximum allowed response time in milliseconds. This parameter is required when `strategy` is 0. |
|
triggerRatio |
int |
Yes |
The ratio (percentage) that triggers the circuit breaker. |
|
statDurationSec |
int |
Yes |
Statistics collection duration in seconds. |
|
recoveryTimeoutSec |
int |
Yes |
Circuit breaker recovery time in seconds. |
|
responseStatusCode |
int |
Yes |
Response status code when the circuit is open. |
|
bodyEncoding |
int |
Yes |
Response body encoding. 0: TEXT. 1: JSON. |
|
responseContentBody |
string |
No |
Response body content when the circuit is open. |
|
responseRedirectUrl |
string |
No |
Redirection URL. This parameter is used when `behaviorType` is 1. |
|
behaviorType |
int |
Yes |
Behavior type. 0: Return a response. 1: Redirect. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
Timeout - Timeout control
Scope: Route, Service
Configuration:
{
"unitNum": 30,
"timeUnit": "s",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
unitNum |
float64 |
Yes |
Timeout duration value. |
|
timeUnit |
string |
Yes |
Time unit. s: seconds. m: minutes. h: hours. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
Retry - Retry policy
Scope: Route, Service
Configuration:
{
"attempts": 3,
"retryOn": ["5xx", "reset", "connect-failure"],
"httpCodes": ["502", "503", "504"],
"perTryTimeout": 10,
"enable": true
}
|
Field |
Type |
Required |
Description |
|
attempts |
int |
Yes |
Maximum number of retries. |
|
retryOn |
[]string |
Yes |
Retry conditions: 5xx, reset, connect-failure, or refused-stream. |
|
httpCodes |
[]string |
No |
The list of HTTP status codes that trigger a retry. |
|
perTryTimeout |
float64 |
No |
Timeout for each retry in seconds. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
HttpRewrite - HTTP rewrite
Scope: Route
Configuration:
{
"pathType": "Exact",
"path": "/v2/api",
"pattern": "",
"substitution": "",
"host": "new-backend.example.com",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
pathType |
string |
Yes |
Path matching type: Exact, Prefix, or Regex. |
|
path |
string |
No |
The rewritten path. This parameter is used when `pathType` is Exact or Prefix. |
|
pattern |
string |
No |
The regular expression pattern. This parameter is required when `pathType` is Regex. |
|
substitution |
string |
No |
The replacement string. This parameter is required when `pathType` is Regex. |
|
host |
string |
No |
The rewritten Host header. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
HeaderModify - Header modification
Scope: Route, Gateway, Domain
Configuration:
{
"enable": true,
"headerOpItems": [
{
"directionType": "Request",
"opType": "Add",
"key": "X-Custom-Header",
"value": "custom-value",
"policyValueGenerateMode": "Custom"
},
{
"directionType": "Request",
"opType": "Update",
"key": "Authorization",
"value": "Bearer {{token}}",
"policyValueGenerateMode": "Custom"
},
{
"directionType": "Request",
"opType": "Remove",
"key": "X-Debug-Mode",
"value": "",
"policyValueGenerateMode": "Custom"
}
]
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
|
headerOpItems |
[]object |
Yes |
The list of header operations. |
|
├─ directionType |
string |
Yes |
Direction type: Request or Response. |
|
├─ opType |
string |
Yes |
Operation type: Add, Update, or Remove. |
|
├─ key |
string |
Yes |
Header key name. |
|
├─ value |
string |
No |
Header value. This can be empty when `opType` is Remove. |
|
└─ policyValueGenerateMode |
string |
Yes |
Value generation mode: Custom or Reference. |
Redirect - Redirection
Scope: Route
Configuration:
{
"code": "301",
"host": "new-domain.com",
"path": "/new-path",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
code |
string |
Yes |
Redirection status code: 301, 302, 303, 307, or 308. |
|
host |
string |
No |
Destination Host for redirection. |
|
path |
string |
No |
Destination path for redirection. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
DirectResponse - Direct response
Scope: Route
Configuration:
{
"code": "200",
"body": "{\"status\":\"ok\",\"message\":\"Service Maintenance\"}",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
code |
string |
Yes |
Response status code. |
|
body |
string |
Yes |
Response body content. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
Fallback - Fallback policy
Scope: Route, Service
Configuration:
{
"enable": true,
"fallBackDestination": [
{
"serviceId": "backup-service-1",
"serviceName": "backup-service-name",
"serviceVersion": "v1",
"port": "8080"
}
]
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
|
fallBackDestination |
[]object |
Yes |
The list of fallback destinations. |
|
├─ serviceId |
string |
Yes |
Fallback service ID. |
|
├─ serviceName |
string |
No |
Fallback service name. |
|
├─ serviceVersion |
string |
No |
Service version. |
|
└─ port |
string |
No |
Service port. |
IpAccessControl - IP access control
Scope: Route, Gateway, Domain
Configuration:
{
"name": "IP Whitelist Policy",
"description": "Allow access from specific IPs",
"ipAccessControlResourceName": "api-route-1",
"ipAccessControlResourceType": "Route",
"ipAccessControlType": "White",
"ipAccessControlContent": "192.168.1.0/24,10.0.0.1",
"protocolLayer": "L7",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
name |
string |
Yes |
Policy name. |
|
description |
string |
No |
Policy description. |
|
ipAccessControlResourceName |
string |
Yes |
Resource name. |
|
ipAccessControlResourceType |
string |
Yes |
Resource type: Route, Gateway, or Domain. |
|
ipAccessControlType |
string |
Yes |
Control type: White (whitelist) or Black (blacklist). |
|
ipAccessControlContent |
string |
Yes |
The list of IP addresses. Separate multiple addresses with commas. CIDR notation is supported. |
|
protocolLayer |
string |
Yes |
Protocol layer: L7 (application layer) or L4 (transport-layer). |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
Cors - Cross-origin resource sharing
Scope: Route, Gateway, Domain
Configuration:
{
"allowOrigins": "https://example.com,https://app.example.com",
"allowMethods": ["GET", "POST", "PUT", "DELETE"],
"allowHeaders": "Content-Type,Authorization",
"exposeHeaders": "X-Custom-Header",
"timeUnit": "s",
"unitNum": 3600,
"allowCredentials": true,
"enable": true
}
|
Field |
Type |
Required |
Description |
|
allowOrigins |
string |
Yes |
Allowed origins. Separate multiple origins with commas. Use `*` to allow all origins. |
|
allowMethods |
[]string |
Yes |
Allowed HTTP methods. |
|
allowHeaders |
string |
Yes |
Allowed request headers. Separate multiple headers with commas. |
|
exposeHeaders |
string |
No |
Exposed response headers. Separate multiple headers with commas. |
|
timeUnit |
string |
Yes |
Time unit. s: seconds. m: minutes. h: hours. |
|
unitNum |
int |
Yes |
Cache duration for preflight requests. |
|
allowCredentials |
bool |
Yes |
Specifies whether to allow credentials. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
FlowCopy - Traffic replication
Scope: Route
Configuration:
{
"targetServiceId": "test-service-id",
"targetServiceName": "test-service",
"port": "8080",
"percentage": 10,
"enable": true
}
|
Field |
Type |
Required |
Description |
|
targetServiceId |
string |
Yes |
Target service ID. |
|
targetServiceName |
string |
No |
Target service name. |
|
port |
string |
No |
Target service port. |
|
percentage |
int |
No |
The percentage of traffic to replicate (1-100). Default is 100. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
DynamicRoute - Dynamic routing (swimlane)
Scope: Gateway
Configuration:
{
"enable": true,
"dynamicRouteSwimmingLaneConfigs": [
{
"swimmingLaneGroupId": 1001,
"swimmingLaneId": 2001,
"canaryModel": 0,
"percentage": 20,
"swimmingLaneTag": "lane-v2",
"predicates": [
{
"type": "Header",
"name": "x-env",
"condition": "==",
"value": "test"
}
],
"matchCondition": "And",
"enable": true
}
]
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
|
dynamicRouteSwimmingLaneConfigs |
[]object |
Yes |
The list of swimlane configurations. |
|
├─ swimmingLaneGroupId |
int64 |
Yes |
Swimlane group ID. |
|
├─ swimmingLaneId |
int64 |
Yes |
Swimlane ID. |
|
├─ canaryModel |
int |
Yes |
Grayscale mode. 0: By content. 1: By percentage. |
|
├─ percentage |
int |
No |
Traffic percentage. This parameter is used in percentage mode. |
|
├─ swimmingLaneTag |
string |
Yes |
Swimlane tag. |
|
├─ predicates |
[]object |
No |
Match criteria for content patterns |
|
│ ├─ type |
string |
Yes |
Parameter type: Header, Cookie, or Parameter. |
|
│ ├─ name |
string |
Yes |
Parameter name. |
|
│ ├─ condition |
string |
Yes |
Condition: ==, !=, Pre, Regex, List, or %. |
|
│ ├─ value |
string |
Yes |
Match value. |
|
│ └─ names |
[]string |
No |
List of values. This parameter is used when `condition` is List. |
|
├─ matchCondition |
string |
Yes |
Match relationship: And or Or. |
|
└─ enable |
bool |
Yes |
Specifies whether to enable this swimlane. |
AI-related policies
AiStatistics - AI statistics
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"aiStatisticsConfig": {
"logRequestContent": true,
"logResponseContent": true
}
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
|
aiStatisticsConfig |
object |
No |
AI statistics configuration. |
|
├─ logRequestContent |
bool |
No |
Specifies whether to log request content. Default is true. |
|
└─ logResponseContent |
bool |
No |
Specifies whether to log response content. Default is true. |
AiSecurityGuard - AI Guardrails
Scope: Service
Configuration:
{
"enable": true,
"serviceAddress": "http://security-guard-service:8080",
"checkRequest": true,
"checkResponse": true,
"riskAlertLevel": "medium",
"requestCheckService": "Security",
"responseCheckService": "Security",
"bufferLimit": 1000,
"riskConfig": [
{
"type": "Global",
"level": "high"
},
{
"type": "ContentModeration",
"level": "medium"
}
]
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
|
serviceAddress |
string |
Yes |
Security service endpoint. |
|
checkRequest |
bool |
Yes |
Specifies whether to check requests. |
|
checkResponse |
bool |
Yes |
Specifies whether to check responses. |
|
riskAlertLevel |
string |
Yes |
Risk level: low, medium, high, or max. |
|
requestCheckService |
string |
No |
Request check service: LLM or Security. |
|
responseCheckService |
string |
No |
Response check service: LLM or Security. |
|
bufferLimit |
int |
No |
Buffer limit. Default is 1000. |
|
riskConfig |
[]object |
No |
The list of risk configurations. |
|
├─ type |
string |
Yes |
Risk type: Global, ContentModeration, PromptAttack, SensitiveData, MaliciousUrl, or ModelHallucination. |
|
└─ level |
string |
Yes |
Risk level: low, medium, high, or max. |
AiTokenRateLimit - AI token rate limiting
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"rules": [
{
"limitType": "LimitByConsumer",
"threshold": 10000,
"timeWindow": 60,
"responseStatusCode": 429,
"responseContentBody": "{\"error\":\"Token limit exceeded\"}"
}
],
"enableGlobalRules": true,
"globalRules": [
{
"limitType": "LimitByGlobal",
"threshold": 100000,
"timeWindow": 60
}
],
"redisConfig": {
"serviceHost": "redis-service:6379",
"servicePort": 6379,
"database": 0,
"username": "",
"password": ""
}
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
|
rules |
[]object |
No |
The list of standard rate limiting rules. |
|
├─ limitType |
string |
Yes |
Limit type: LimitByConsumer or LimitByModel. |
|
├─ threshold |
int |
Yes |
Token threshold. |
|
├─ timeWindow |
int |
Yes |
Time window in seconds. |
|
├─ responseStatusCode |
int |
No |
Response status code when the limit is exceeded. |
|
└─ responseContentBody |
string |
No |
Response body content when the limit is exceeded. |
|
enableGlobalRules |
bool |
No |
Specifies whether to enable global rate limiting rules. |
|
globalRules |
[]object |
No |
The list of global rate limiting rules. |
|
├─ limitType |
string |
Yes |
Limit type. Must be LimitByGlobal. |
|
├─ threshold |
int |
Yes |
Token threshold. |
|
└─ timeWindow |
int |
Yes |
Time window in seconds. |
|
redisConfig |
object |
Yes |
Redis configuration. |
|
├─ serviceHost |
string |
Yes |
Redis endpoint. |
|
├─ servicePort |
int |
Yes |
Redis port. |
|
├─ database |
int |
No |
Database number. Default is 0. |
|
├─ username |
string |
No |
Username. |
|
└─ password |
string |
No |
Password. |
AiCache - AI cache
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"cacheTTL": 3600,
"cacheMode": "exact",
"cacheKeyStrategy": "messages",
"redisConfig": {
"serviceHost": "redis-service:6379",
"servicePort": 6379,
"database": 0
}
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Enable |
|
cacheTTL |
int |
Yes |
Cache time-to-live (TTL) in seconds. |
|
cacheMode |
string |
Yes |
Cache mode: exact or semantic. |
|
cacheKeyStrategy |
string |
No |
Cache key strategy. |
|
redisConfig |
object |
Yes |
Redis configuration. |
|
├─ serviceHost |
string |
Yes |
Redis endpoint. |
|
├─ servicePort |
int |
Yes |
Redis port. |
|
├─ database |
int |
No |
Database number. Default is 0. |
|
├─ username |
string |
No |
Username. |
|
└─ password |
string |
No |
Password. |
|
vectorConfig |
object |
No |
Vector database configuration. This parameter is used in semantic mode. |
|
├─ type |
string |
Yes |
Vector database type: adb-postgres. |
|
├─ serviceHost |
string |
Yes |
Vector database endpoint. |
|
├─ apiKey |
string |
Yes |
API key. |
|
├─ timeout |
int |
Yes |
Timeout in milliseconds. |
|
├─ collectionId |
string |
Yes |
Collection ID. |
|
└─ threshold |
float |
Yes |
Similarity threshold (0-1). |
|
embeddingConfig |
object |
No |
Embedding configuration. This parameter is used in semantic mode. |
|
├─ type |
string |
Yes |
Embedding type: dashscope or azure. |
|
└─ serviceId |
string |
Yes |
Embedding service ID. |
AiFallback - AI fallback
Scope: Service
Configuration:
{
"enable": true,
"fallbackModelMappings": [
{
"model": "gpt-4",
"fallbackModels": [
{
"serviceId": "backup-service-1",
"model": "gpt-3.5-turbo"
}
]
}
]
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
|
fallbackModelMappings |
[]object |
Yes |
The list of fallback model mappings. |
|
├─ model |
string |
Yes |
Original model name. |
|
└─ fallbackModels |
[]object |
Yes |
The list of fallback models. |
|
├─ serviceId |
string |
Yes |
Fallback service ID. |
|
└─ model |
string |
Yes |
Fallback model name. |
AiNetworkSearch - AI network search
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"provider": "bing",
"apiKey": "your-search-api-key",
"maxResults": 10,
"timeout": 5000
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
|
provider |
string |
Yes |
Search provider. |
|
apiKey |
string |
Yes |
Search API key. |
|
maxResults |
int |
No |
Maximum number of results to return. |
|
timeout |
int |
No |
Timeout in milliseconds. |
AiToolSelection - AI tool selection
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"tools": [
{
"name": "calculator",
"description": "Used for mathematical calculations",
"enabled": true
}
]
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Enable |
|
tools |
[]object |
Yes |
The list of tools. |
|
├─ name |
string |
Yes |
Tool name. |
|
├─ description |
string |
Yes |
Tool description. |
|
└─ enabled |
bool |
Yes |
Specifies whether to enable this tool. |
Security and authentication policies
Authentication - Unified authentication
Scope: Route, Gateway, Domain
Configuration:
{
"authenticationType": "key-auth",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
authenticationType |
string |
Yes |
Authentication type: key-auth, basic-auth, or jwt-auth. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
JWTAuth - JWT authentication
Scope: Route, Gateway, Domain
Configuration:
{
"name": "jwt-policy",
"issuer": "https://auth.example.com",
"sub": "",
"jwks": "https://auth.example.com/.well-known/jwks.json",
"tokenPosition": "header",
"tokenName": "Authorization",
"tokenNamePrefix": "Bearer ",
"tokenPass": true,
"whiteOrBlack": "",
"authResources": [],
"resources": "",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
name |
string |
Yes |
Policy name. |
|
issuer |
string |
Yes |
JWT issuer. |
|
sub |
string |
No |
Subject. |
|
jwks |
string |
Yes |
JWKS URI. |
|
tokenPosition |
string |
Yes |
Token location: header, query, or cookie. |
|
tokenName |
string |
Yes |
Token field name. |
|
tokenNamePrefix |
string |
No |
Token prefix, such as "Bearer ". |
|
tokenPass |
bool |
Yes |
Specifies whether to pass through the token. |
|
whiteOrBlack |
string |
No |
Whitelist or blacklist mode. |
|
authResources |
[]object |
No |
The list of authentication resources. |
|
resources |
string |
No |
Resource configuration. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
OIDCAuth - OIDC authentication
Scope: Route, Gateway, Domain
Configuration:
{
"issuer": "https://accounts.google.com",
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"redirectUri": "https://your-app.com/callback",
"scopes": ["openid", "profile", "email"],
"enable": true
}
|
Field |
Type |
Required |
Description |
|
issuer |
string |
Yes |
OIDC provider URL. |
|
clientId |
string |
Yes |
Client ID. |
|
clientSecret |
string |
Yes |
Client secret. |
|
redirectUri |
string |
Yes |
Redirection URI. |
|
scopes |
[]string |
Yes |
The requested scopes. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
ExternalZAuth - External authentication
Scope: Route, Gateway, Domain
Configuration:
{
"authServiceUrl": "https://auth-service.example.com/verify",
"timeout": 5000,
"enable": true
}
|
Field |
Type |
Required |
Description |
|
authServiceUrl |
string |
Yes |
External authentication service URL. |
|
timeout |
int |
No |
Timeout in milliseconds. |
|
enable |
bool |
Yes |
Enable |
Waf - Web Application Firewall
Scope: Route, Gateway, Domain
Configuration:
{
"enable": true
}
|
Field |
Type |
Required |
Description |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
Service administration policies
ServiceLb - Service load balancing
Scope: Service
Configuration:
{
"loadBalancerType": "ROUND_ROBIN",
"consistentHashLBConfig": {
"parameterName": "user-id",
"httpCookie": {
"name": "session-id",
"path": "/",
"ttl": "3600s"
},
"minimumRingSize": 1024,
"consistentHashLBType": "HEADER"
},
"warmupDuration": 60,
"enable": true
}
|
Field |
Type |
Required |
Description |
|
loadBalancerType |
string |
Yes |
Load balancing type: ROUND_ROBIN, LEAST_CONN, RANDOM, or CONSISTENT_HASH. |
|
consistentHashLBConfig |
object |
No |
Consistent hash configuration. This parameter is used when `loadBalancerType` is CONSISTENT_HASH. |
|
├─ parameterName |
string |
No |
Parameter name. |
|
├─ httpCookie |
object |
No |
Cookie configuration. |
|
│ ├─ name |
string |
Yes |
Cookie name. |
|
│ ├─ path |
string |
No |
Cookie path. |
|
│ └─ ttl |
string |
No |
Cookie time-to-live (TTL). |
|
├─ minimumRingSize |
int |
No |
Minimum ring size. |
|
└─ consistentHashLBType |
string |
Yes |
Hash type: HEADER, COOKIE, SOURCE_IP, or QUERY_PARAMETER. |
|
warmupDuration |
int |
No |
Warm-up duration in seconds. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
ServiceTls - Service TLS
Scope: Service
Configuration:
{
"mode": "SIMPLE",
"certId": "cert-id-123",
"caCertId": "ca-cert-id-456",
"caCertContent": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"subjectAltNames": ["*.example.com"],
"sni": "backend-service.example.com",
"enable": true
}
|
Field |
Type |
Required |
Description |
|
mode |
string |
Yes |
TLS mode: DISABLE, SIMPLE, MUTUAL, or ISTIO_MUTUAL. |
|
certId |
string |
No |
Certificate ID. |
|
caCertId |
string |
No |
CA certificate ID. |
|
caCertContent |
string |
No |
CA certificate content in PEM format. |
|
subjectAltNames |
[]string |
No |
Subject Alternative Names. |
|
sni |
string |
No |
SNI hostname. |
|
enable |
bool |
Yes |
Specifies whether to enable the policy. |
ServicePortTls - Service port TLS
Scope: ServicePort
Configuration: Same as ServiceTls.
Error examples and best practices
Error example 1: Incorrect format for the config field
{
"name": "Rate Limit Policy",
"className": "RateLimit",
"config": {"threshold": 100} // Error: config must be a JSON string
}
Correct format:
{
"name": "Rate Limit Policy",
"className": "RateLimit",
"config": "{\"threshold\":100,\"behaviorType\":0,\"bodyEncoding\":0,\"responseStatusCode\":429,\"enable\":true}"
}
Error example 2: Missing enable field
{
"name": "Rate Limit Policy",
"className": "RateLimit",
"config": "{\"threshold\":100,\"behaviorType\":0,\"bodyEncoding\":0,\"responseStatusCode\":429}" // The enable field is missing
}
Correct format:
{
"name": "Rate Limit Policy",
"className": "RateLimit",
"config": "{\"threshold\":100,\"behaviorType\":0,\"bodyEncoding\":0,\"responseStatusCode\":429,\"enable\":true}"
}
Response format
Successful response
{
"policyId": "policy-abc123"
}
Error response
{
"errorCode": "ErrInvalidParameter",
"errorMessage": "Invalid parameter: className",
"requestId": "req-xxx"
}