Kong Konnect

Konnect Runtime Configuration API

The API for configuring Kong Konnect Runtime Groups.

URL	Description
`https://us.api.konghq.com/v2/runtime-groups/{runtime_group_id}`	US Region Konnect Platform Base URL
`https://eu.api.konghq.com/v2/runtime-groups/{runtime_group_id}`	EU Region Konnect Platform Base URL

This API is similar to the Kong Gateway admin API with a few major differences:

PATCH methods are not supported

PATCH methods are not yet available in the Konnect core entities endpoint. Update operations can be performed with the PUT method.
Updated error responses

Error responses returned in Konnect core entities endpoint are not compatible with the error responses returned by the Kong Admin APIs.
POST methods only support application/json

The content types application/x-www-form-urlencoded and multipart/form-data are not supported in the Konnect core entities endpoint. Please use application/json.
Nested endpoints are not supported

Core entities endpoints include only the top level path. For example, to retrieve a route, only /routes/{route name or id} is supported. Nested endpoints are not available in Konnect.

Supported Content Types

application/json

Handy for complex bodies (ex: complex plugin configuration), in that case send a JSON representation of the data you want to send. Example:

{
    "config": {
        "limit": 10,
        "period": "seconds"
    }
}

An example adding a Route to a Service named test-service:

curl -i -X POST https://us.api.konghq.com/v2/runtime-groups/{runtime_group_id}/core-entities/routes \
     -H "Content-Type: application/json" \
     -d '{"name": "test-route", "paths": [ "/path/one", "/path/two" ]}'

More resources

Nodes

List Runtime Instance Records

Returns a list of runtime instance records that are associated to this runtime group. A runtime instance record contains all the metadata information of the Kong Gateway dataplane.

Endpoint

/nodes

Path Parameters

Attribute	Description
`page.size`	The number of items to include in a page.
`page.number`	The specific page number in the collection results.

Response

HTTP 200 OK

Fetch Runtime Instance Record

Retrieve a specific runtime instance record associated to this runtime group. A runtime instance record contains all the metadata information of the Kong Gateway dataplane.

Endpoint

/nodes/{node_id}

Path Parameters

Attribute	Description
`node_id`	The unique identifier for the runtime instance.

Response

HTTP 204 OK

Delete Runtime Instance Record

Remove a specific runtime instance record associated to this runtime group. Deleting this record does not prevent the runtime instance from re-connecting to the runtime group.

Endpoint

/nodes/{node_id}

Path Parameters

Attribute	Description
`node_id`	The unique identifier for the runtime instance.

Response

HTTP 204 No Content

Fetch Expected Config Hash

Retrieve the expected config hash for this runtime group. The expected config hash can be used to verify if the config hash of a runtime instance is up to date with the conrol plane. If they are in sync, the config hash will be the same. If sync in progress or if out of sync, the config hash will be different. The updated_at timestamp indicates when the config was last updated.

Endpoint

/expected-config-hash

Response

HTTP 200 OK

Data plane certificates

List data plane client certificates

Returns a list of pinned dataplane client certificates that are associated to this runtime group. A pinned dataplane certificate allows dataplanes configured with the certificate and corresponding private key to establish connection with this runtime group.

Endpoint

/dp-client-certificates

Response

HTTP 200 OK

Pin new data plane client certificates

Pin a new DP Client Certificate to this runtime group. A pinned dataplane certificate allows dataplanes configured with the certificate and corresponding private key to establish connection with this runtime group.

Endpoint

/dp-client-certificates

Response

HTTP 201 Created

Fetch data plane client certificate

Retrieve a pinned dataplane client certificate associated to this runtime group. A pinned dataplane certificate allows dataplanes configured with the certificate and corresponding private key to establish connection with this runtime group.

Endpoint

/dp-client-certificates/{certificate_id}

Response

HTTP 200 Created

Replace data plane client certificate

Update a pinned dataplane client certificate associated to this runtime group. A pinned dataplane certificate allows dataplanes configured with the certificate and corresponding private key to establish connection with this runtime group. Endpoint

/dp-client-certificates/{certificate_id}

Response

HTTP 200 Created

Delete DP Client Certificate

Remove a pinned dataplane client certificate associated to this runtime group. Removing a pinned dataplane certificate would invalidate any dataplanes currently connected to this runtime group using this certificate. Endpoint

/dp-client-certificates/{certificate_id}

Response

HTTP 200 Ok

Retrieve Plugin Schema

Retrieve the schema of a plugin’s configuration. This is useful to understand what fields a plugin accepts, and can be used for building third-party integrations to the Kong’s plugin system.

/schemas/plugins/{plugin name}

Response

HTTP 200 OK

{
    "fields": {
        "hide_credentials": {
            "default": false,
            "type": "boolean"
        },
        "key_names": {
            "default": "function",
            "required": true,
            "type": "array"
        }
    }
}

Service Object

Service entities, as the name implies, are abstractions of each of your own upstream services. Examples of Services would be a data transformation microservice, a billing API, etc.

The main attribute of a Service is its URL (where Kong should proxy traffic to), which can be set as a single string or by specifying its protocol, host, port and path individually.

Services are associated to Routes (a Service can have many Routes associated with it). Routes are entry-points in Kong and define rules to match client requests. Once a Route is matched, Kong proxies the request to its associated Service. See the [Proxy Reference][proxy-reference] for a detailed explanation of how Kong proxies traffic.

Services can be both tagged and filtered by tags.

{
    "id": "9748f662-7711-4a90-8186-dc02f10eb0f5",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-service",
    "retries": 5,
    "protocol": "http",
    "host": "example.com",
    "port": 80,
    "path": "/some_api",
    "connect_timeout": 60000,
    "write_timeout": 60000,
    "read_timeout": 60000,
    "tags": ["user-level", "low-priority"],
    "client_certificate": {"id":"4e3ad2e4-0bc4-4638-8e34-c84a417ba39b"},
    "tls_verify": true,
    "tls_verify_depth": null,
    "ca_certificates": ["4e3ad2e4-0bc4-4638-8e34-c84a417ba39b", "51e77dc2-8f3e-4afa-9d0e-0e3bbbcfd515"],
    "enabled": true
}

Add Service

Create Service

/core-entities/services

Request Body

Attributes	Description
`name` optional	The Service name.
`retries` optional	The number of retries to execute upon failure to proxy. Default: `5`.
`protocol`	The protocol used to communicate with the upstream. Accepted values are: `"grpc"`, `"grpcs"`, `"http"`, `"https"`, `"tcp"`, `"tls"`, `"tls_passthrough"`, `"udp"`, `"ws"` , `"wss"` . Default: `"http"`.
`host`	The host of the upstream server. Note that the host value is case sensitive.
`port`	The upstream server port. Default: `80`.
`path` optional	The path to be used in requests to the upstream server.
`connect_timeout` optional	The timeout in milliseconds for establishing a connection to the upstream server. Default: `60000`.
`write_timeout` optional	The timeout in milliseconds between two successive write operations for transmitting a request to the upstream server. Default: `60000`.
`read_timeout` optional	The timeout in milliseconds between two successive read operations for transmitting a request to the upstream server. Default: `60000`.
`tags` optional	An optional set of strings associated with the Service for grouping and filtering.
`client_certificate` optional	Certificate to be used as client certificate while TLS handshaking to the upstream server. With form-encoded, the notation is `client_certificate.id=<client_certificate id>`. With JSON, use “`"client_certificate":{"id":"<client_certificate id>"}`.
`tls_verify` optional	Whether to enable verification of upstream server TLS certificate. If set to `null`, then the Nginx default is respected.
`tls_verify_depth` optional	Maximum depth of chain while verifying Upstream server’s TLS certificate. If set to `null`, then the Nginx default is respected. Default: `null`.
`ca_certificates` optional	Array of `CA Certificate` object UUIDs that are used to build the trust store while verifying upstream server’s TLS certificate. If set to `null` when Nginx default is respected. If default CA list in Nginx are not specified and TLS verification is enabled, then handshake with upstream server will always fail (because no CA are trusted). With form-encoded, the notation is `ca_certificates[]=4e3ad2e4-0bc4-4638-8e34-c84a417ba39b&ca_certificates[]=51e77dc2-8f3e-4afa-9d0e-0e3bbbcfd515`. With JSON, use an Array.
`enabled`	Whether the Service is active. If set to `false`, the proxy behavior will be as if any routes attached to it do not exist (404). Default: `true`.
`url` shorthand-attribute	Shorthand attribute to set `protocol`, `host`, `port` and `path` at once. This attribute is write-only (the Admin API never returns the URL).

Response

HTTP 201 Created

{
    "id": "9748f662-7711-4a90-8186-dc02f10eb0f5",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-service",
    "retries": 5,
    "protocol": "http",
    "host": "example.com",
    "port": 80,
    "path": "/some_api",
    "connect_timeout": 60000,
    "write_timeout": 60000,
    "read_timeout": 60000,
    "tags": ["user-level", "low-priority"],
    "client_certificate": {"id":"4e3ad2e4-0bc4-4638-8e34-c84a417ba39b"},
    "tls_verify": true,
    "tls_verify_depth": null,
    "ca_certificates": ["4e3ad2e4-0bc4-4638-8e34-c84a417ba39b", "51e77dc2-8f3e-4afa-9d0e-0e3bbbcfd515"],
    "enabled": true
}

List Services

List All Services

/core-entities/services

Response

HTTP 200 OK

{
"data": [{
    "id": "a5fb8d9b-a99d-40e9-9d35-72d42a62d83a",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-service",
    "retries": 5,
    "protocol": "http",
    "host": "example.com",
    "port": 80,
    "path": "/some_api",
    "connect_timeout": 60000,
    "write_timeout": 60000,
    "read_timeout": 60000,
    "tags": ["user-level", "low-priority"],
    "client_certificate": {"id":"51e77dc2-8f3e-4afa-9d0e-0e3bbbcfd515"},
    "tls_verify": true,
    "tls_verify_depth": null,
    "ca_certificates": ["4e3ad2e4-0bc4-4638-8e34-c84a417ba39b", "51e77dc2-8f3e-4afa-9d0e-0e3bbbcfd515"],
    "enabled": true
}, {
    "id": "fc73f2af-890d-4f9b-8363-af8945001f7f",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-service",
    "retries": 5,
    "protocol": "http",
    "host": "example.com",
    "port": 80,
    "path": "/another_api",
    "connect_timeout": 60000,
    "write_timeout": 60000,
    "read_timeout": 60000,
    "tags": ["admin", "high-priority", "critical"],
    "client_certificate": {"id":"4506673d-c825-444c-a25b-602e3c2ec16e"},
    "tls_verify": true,
    "tls_verify_depth": null,
    "ca_certificates": ["4e3ad2e4-0bc4-4638-8e34-c84a417ba39b", "51e77dc2-8f3e-4afa-9d0e-0e3bbbcfd515"],
    "enabled": true
}],

    "next": "http://localhost:8001/services?offset=6378122c-a0a1-438d-a5c6-efabae9fb969"
}

Retrieve Service

/core-entities/services/{service name or id}

Attributes	Description
`service name or id` required	The unique identifier or the name of the Service to retrieve.

Response

HTTP 200 OK

{
    "id": "9748f662-7711-4a90-8186-dc02f10eb0f5",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-service",
    "retries": 5,
    "protocol": "http",
    "host": "example.com",
    "port": 80,
    "path": "/some_api",
    "connect_timeout": 60000,
    "write_timeout": 60000,
    "read_timeout": 60000,
    "tags": ["user-level", "low-priority"],
    "client_certificate": {"id":"4e3ad2e4-0bc4-4638-8e34-c84a417ba39b"},
    "tls_verify": true,
    "tls_verify_depth": null,
    "ca_certificates": ["4e3ad2e4-0bc4-4638-8e34-c84a417ba39b", "51e77dc2-8f3e-4afa-9d0e-0e3bbbcfd515"],
    "enabled": true
}

Update Service

Update Or Create Service

Create Or Update Service

/core-entities/services/{service name or id}

Attributes	Description
`service name or id` required	The unique identifier or the name of the Service to create or update.

Request Body

Attributes	Description
`name` optional	The Service name.
`retries` optional	The number of retries to execute upon failure to proxy. Default: `5`.
`protocol`	The protocol used to communicate with the upstream. Accepted values are: `"grpc"`, `"grpcs"`, `"http"`, `"https"`, `"tcp"`, `"tls"`, `"tls_passthrough"`, `"udp"`, `"ws"` , `"wss"` . Default: `"http"`.
`host`	The host of the upstream server. Note that the host value is case sensitive.
`port`	The upstream server port. Default: `80`.
`path` optional	The path to be used in requests to the upstream server.
`connect_timeout` optional	The timeout in milliseconds for establishing a connection to the upstream server. Default: `60000`.
`write_timeout` optional	The timeout in milliseconds between two successive write operations for transmitting a request to the upstream server. Default: `60000`.
`read_timeout` optional	The timeout in milliseconds between two successive read operations for transmitting a request to the upstream server. Default: `60000`.
`tags` optional	An optional set of strings associated with the Service for grouping and filtering.
`client_certificate` optional	Certificate to be used as client certificate while TLS handshaking to the upstream server. With form-encoded, the notation is `client_certificate.id=<client_certificate id>`. With JSON, use “`"client_certificate":{"id":"<client_certificate id>"}`.
`tls_verify` optional	Whether to enable verification of upstream server TLS certificate. If set to `null`, then the Nginx default is respected.
`tls_verify_depth` optional	Maximum depth of chain while verifying Upstream server’s TLS certificate. If set to `null`, then the Nginx default is respected. Default: `null`.
`ca_certificates` optional	Array of `CA Certificate` object UUIDs that are used to build the trust store while verifying upstream server’s TLS certificate. If set to `null` when Nginx default is respected. If default CA list in Nginx are not specified and TLS verification is enabled, then handshake with upstream server will always fail (because no CA are trusted). With form-encoded, the notation is `ca_certificates[]=4e3ad2e4-0bc4-4638-8e34-c84a417ba39b&ca_certificates[]=51e77dc2-8f3e-4afa-9d0e-0e3bbbcfd515`. With JSON, use an Array.
`enabled`	Whether the Service is active. If set to `false`, the proxy behavior will be as if any routes attached to it do not exist (404). Default: `true`.
`url` shorthand-attribute	Shorthand attribute to set `protocol`, `host`, `port` and `path` at once. This attribute is write-only (the Admin API never returns the URL).

Inserts (or replaces) the Service under the requested resource with the definition specified in the body. The Service will be identified via the name or id attribute.

When the name or id attribute has the structure of a UUID, the Service being inserted/replaced will be identified by its id. Otherwise it will be identified by its name.

When creating a new Service without specifying id (neither in the URL nor in the body), then it will be auto-generated.

Notice that specifying a name in the URL and a different one in the request body is not allowed.

Response

HTTP 200 OK

Delete Service

Delete Service

/core-entities/services/{service name or id}

Attributes	Description
`service name or id` required	The unique identifier or the name of the Service to delete.

Response

HTTP 204 No Content

Route Object

Route entities define rules to match client requests. Each Route is associated with a Service, and a Service may have multiple Routes associated to it. Every request matching a given Route will be proxied to its associated Service.

The combination of Routes and Services (and the separation of concerns between them) offers a powerful routing mechanism with which it is possible to define fine-grained entry-points in Kong leading to different upstream services of your infrastructure.

You need at least one matching rule that applies to the protocol being matched by the Route. Depending on the protocols configured to be matched by the Route (as defined with the protocols field), this means that at least one of the following attributes must be set:

For http, at least one of methods, hosts, headers or paths;
For https, at least one of methods, hosts, headers, paths or snis;
For tcp, at least one of sources or destinations;
For tls, at least one of sources, destinations or snis;
For tls_passthrough, set snis;
For grpc, at least one of hosts, headers or paths;
For grpcs, at least one of hosts, headers, paths or snis;
For ws, at least one of hosts, headers or paths;
For wss, at least one of hosts, headers, paths or snis.

A route can’t have both tls and tls_passthrough protocols at same time.

The 3.0.x release introduces a new router implementation: atc-router. The router adds:

Reduced router rebuild time when changing Kong’s configuration
Increased runtime performance when routing requests
Reduced P99 latency from 1.5s to 0.1s with 10,000 routes

Learn more about the router:

Configure routes using expressions Router Expressions language reference

Path handling algorithms

"v0" is the behavior used in Kong 0.x, 2.x and 3.x. It treats service.path, route.path and request path as segments of a URL. It will always join them via slashes. Given a service path /s, route path /r and request path /re, the concatenated path will be /s/re. If the resulting path is a single slash, no further transformation is done to it. If it’s longer, then the trailing slash is removed.

"v1" is the behavior used in Kong 1.x. It treats service.path as a prefix, and ignores the initial slashes of the request and route paths. Given service path /s, route path /r and request path /re, the concatenated path will be /sre.

Both versions of the algorithm detect “double slashes” when combining paths, replacing them by single slashes.

The following table shows the possible combinations of path handling version, strip path, and request:

`service.path`	`route.path`	`request`	`route.strip_path`	`route.path_handling`	request path	upstream path
`/s`	`/fv0`	`req`	`false`	`v0`	`/fv0/req`	`/s/fv0/req`
`/s`	`/fv0`	`blank`	`false`	`v0`	`/fv0`	`/s/fv0`
`/s`	`/fv1`	`req`	`false`	`v1`	`/fv1/req`	`/sfv1/req`
`/s`	`/fv1`	`blank`	`false`	`v1`	`/fv1`	`/sfv1`
`/s`	`/tv0`	`req`	`true`	`v0`	`/tv0/req`	`/s/req`
`/s`	`/tv0`	`blank`	`true`	`v0`	`/tv0`	`/s`
`/s`	`/tv1`	`req`	`true`	`v1`	`/tv1/req`	`/s/req`
`/s`	`/tv1`	`blank`	`true`	`v1`	`/tv1`	`/s`
`/s`	`/fv0/`	`req`	`false`	`v0`	`/fv0/req`	`/s/fv0/req`
`/s`	`/fv0/`	`blank`	`false`	`v0`	`/fv0/`	`/s/fv01/`
`/s`	`/fv1/`	`req`	`false`	`v1`	`/fv1/req`	`/sfv1/req`
`/s`	`/fv1/`	`blank`	`false`	`v1`	`/fv1/`	`/sfv1/`
`/s`	`/tv0/`	`req`	`true`	`v0`	`/tv0/req`	`/s/req`
`/s`	`/tv0/`	`blank`	`true`	`v0`	`/tv0/`	`/s/`
`/s`	`/tv1/`	`req`	`true`	`v1`	`/tv1/req`	`/sreq`
`/s`	`/tv1/`	`blank`	`true`	`v1`	`/tv1/`	`/s`

Routes can be both tagged and filtered by tags.

{
    "id": "d35165e2-d03e-461a-bdeb-dad0a112abfe",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-route",
    "protocols": ["http", "https"],
    "methods": ["GET", "POST"],
    "hosts": ["example.com", "foo.test"],
    "paths": ["/foo", "/bar"],
    "headers": {"x-my-header":["foo", "bar"], "x-another-header":["bla"]},
    "https_redirect_status_code": 426,
    "regex_priority": 0,
    "strip_path": true,
    "path_handling": "v0",
    "preserve_host": false,
    "request_buffering": true,
    "response_buffering": true,
    "tags": ["user-level", "low-priority"],
    "service": {"id":"af8330d3-dbdc-48bd-b1be-55b98608834b"}
}

Add Route

Create Route

/core-entities/routes

Create Route Associated to a Specific Service

/core-entities/services/{service name or id}/routes

Attributes	Description
`service name or id` required	The unique identifier or the `name` attribute of the Service that should be associated to the newly-created Route.

Request Body

Attributes	Description
`name` optional	The name of the Route. Route names must be unique, and they are case sensitive. For example, there can be two different Routes named “test” and “Test”.
`protocols`	An array of the protocols this Route should allow. See the Route Object section for a list of accepted protocols. When set to only `"https"`, HTTP requests are answered with an upgrade error. When set to only `"http"`, HTTPS requests are answered with an error. Default: `["http", "https"]`.
`methods` semi-optional	A list of HTTP methods that match this Route.
`hosts` semi-optional	A list of domain names that match this Route. Note that the hosts value is case sensitive. With form-encoded, the notation is `hosts[]=example.com&hosts[]=foo.test`. With JSON, use an Array.
`paths` semi-optional	A list of paths that match this Route. With form-encoded, the notation is `paths[]=/foo&paths[]=/bar`. With JSON, use an array. The path can be a regular expression, or a plain text pattern. The path patterns are matched against a normalized path, with most percent-encoded characters decoded, path folding, and preserved semantics. For more details read rfc3986.
`headers` semi-optional	One or more lists of values indexed by header name that will cause this Route to match if present in the request. The `Host` header cannot be used with this attribute: hosts should be specified using the `hosts` attribute. When `headers` contains only one value and that value starts with the special prefix `~*`, the value is interpreted as a regular expression.
`https_redirect_status_code`	The status code Kong responds with when all properties of a Route match except the protocol i.e. if the protocol of the request is `HTTP` instead of `HTTPS`. `Location` header is injected by Kong if the field is set to 301, 302, 307 or 308. Note: This config applies only if the Route is configured to only accept the `https` protocol. Accepted values are: `426`, `301`, `302`, `307`, `308`. Default: `426`.
`regex_priority` optional	A number used to choose which route resolves a given request when several routes match it using regexes simultaneously. When two routes match the path and have the same `regex_priority`, the older one (lowest `created_at`) is used. Note that the priority for non-regex routes is different (longer non-regex routes are matched before shorter ones). Default: `0`.
`strip_path`	When matching a Route via one of the `paths`, strip the matching prefix from the upstream request URL. Default: `true`.
`path_handling` optional	Controls how the Service path, Route path and requested path are combined when sending a request to the upstream. See above for a detailed description of each behavior. Accepted values are: `"v0"`, `"v1"`. Default: `"v0"`.
`preserve_host`	When matching a Route via one of the `hosts` domain names, use the request `Host` header in the upstream request headers. If set to `false`, the upstream `Host` header will be that of the Service’s `host`.
`request_buffering`	Whether to enable request body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that receive data with chunked transfer encoding. Default: `true`.
`response_buffering`	Whether to enable response body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that send data with chunked transfer encoding. Default: `true`.
`snis` semi-optional	A list of SNIs that match this Route when using stream routing.
`sources` semi-optional	A list of IP sources of incoming connections that match this Route when using stream routing. Each entry is an object with fields “ip” (optionally in CIDR range notation) and/or “port”.
`destinations` semi-optional	A list of IP destinations of incoming connections that match this Route when using stream routing. Each entry is an object with fields “ip” (optionally in CIDR range notation) and/or “port”.
`tags` optional	An optional set of strings associated with the Route for grouping and filtering.
`service` optional	The Service this Route is associated to. This is where the Route proxies traffic to. With form-encoded, the notation is `service.id=<service id>` or `service.name=<service name>`. With JSON, use “`"service":{"id":"<service id>"}` or `"service":{"name":"<service name>"}`.

Response

HTTP 201 Created

{
    "id": "d35165e2-d03e-461a-bdeb-dad0a112abfe",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-route",
    "protocols": ["http", "https"],
    "methods": ["GET", "POST"],
    "hosts": ["example.com", "foo.test"],
    "paths": ["/foo", "/bar"],
    "headers": {"x-my-header":["foo", "bar"], "x-another-header":["bla"]},
    "https_redirect_status_code": 426,
    "regex_priority": 0,
    "strip_path": true,
    "path_handling": "v0",
    "preserve_host": false,
    "request_buffering": true,
    "response_buffering": true,
    "tags": ["user-level", "low-priority"],
    "service": {"id":"af8330d3-dbdc-48bd-b1be-55b98608834b"}
}

List Routes

List All Routes

/core-entities/routes

List Routes Associated to a Specific Service

/core-entities/services/{service name or id}/routes

Attributes	Description
`service name or id` required	The unique identifier or the `name` attribute of the Service whose Routes are to be retrieved. When using this endpoint, only Routes associated to the specified Service will be listed.

Response

HTTP 200 OK

{
"data": [{
    "id": "a9daa3ba-8186-4a0d-96e8-00d80ce7240b",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-route",
    "protocols": ["http", "https"],
    "methods": ["GET", "POST"],
    "hosts": ["example.com", "foo.test"],
    "paths": ["/foo", "/bar"],
    "headers": {"x-my-header":["foo", "bar"], "x-another-header":["bla"]},
    "https_redirect_status_code": 426,
    "regex_priority": 0,
    "strip_path": true,
    "path_handling": "v0",
    "preserve_host": false,
    "request_buffering": true,
    "response_buffering": true,
    "tags": ["user-level", "low-priority"],
    "service": {"id":"127dfc88-ed57-45bf-b77a-a9d3a152ad31"}
}, {
    "id": "9aa116fd-ef4a-4efa-89bf-a0b17c4be982",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-route",
    "protocols": ["tcp", "tls"],
    "https_redirect_status_code": 426,
    "regex_priority": 0,
    "strip_path": true,
    "path_handling": "v0",
    "preserve_host": false,
    "request_buffering": true,
    "response_buffering": true,
    "snis": ["foo.test", "example.com"],
    "sources": [{"ip":"10.1.0.0/16", "port":1234}, {"ip":"10.2.2.2"}, {"port":9123}],
    "destinations": [{"ip":"10.1.0.0/16", "port":1234}, {"ip":"10.2.2.2"}, {"port":9123}],
    "tags": ["admin", "high-priority", "critical"],
    "service": {"id":"ba641b07-e74a-430a-ab46-94b61e5ea66b"}
}],

    "next": "http://localhost:8001/routes?offset=6378122c-a0a1-438d-a5c6-efabae9fb969"
}

Retrieve Route

/core-entities/routes/{route name or id}

Attributes	Description
`route name or id` required	The unique identifier or the name of the Route to retrieve.

Retrieve Route Associated to a Specific Service

/core-entities/services/{service name or id}/routes/{route name or id}

Attributes	Description
`service name or id` required	The unique identifier or the name of the Service to retrieve.
`route name or id` required	The unique identifier or the name of the Route to retrieve.

Response

HTTP 200 OK

{
    "id": "d35165e2-d03e-461a-bdeb-dad0a112abfe",
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "name": "my-route",
    "protocols": ["http", "https"],
    "methods": ["GET", "POST"],
    "hosts": ["example.com", "foo.test"],
    "paths": ["/foo", "/bar"],
    "headers": {"x-my-header":["foo", "bar"], "x-another-header":["bla"]},
    "https_redirect_status_code": 426,
    "regex_priority": 0,
    "strip_path": true,
    "path_handling": "v0",
    "preserve_host": false,
    "request_buffering": true,
    "response_buffering": true,
    "tags": ["user-level", "low-priority"],
    "service": {"id":"af8330d3-dbdc-48bd-b1be-55b98608834b"}
}

Update Or Create Route

Create Or Update Route

/core-entities/routes/{route name or id}

Attributes	Description
`route name or id` required	The unique identifier or the name of the Route to create or update.

Create Or Update Route Associated to a Specific Service

/core-entities/services/{service name or id}/routes/{route name or id}

Attributes	Description
`service name or id` required	The unique identifier or the name of the Service to create or update.
`route name or id` required	The unique identifier or the name of the Route to create or update.

Request Body

Attributes	Description
`name` optional	The name of the Route. Route names must be unique, and they are case sensitive. For example, there can be two different Routes named “test” and “Test”.
`protocols`	An array of the protocols this Route should allow. See the Route Object section for a list of accepted protocols. When set to only `"https"`, HTTP requests are answered with an upgrade error. When set to only `"http"`, HTTPS requests are answered with an error. Default: `["http", "https"]`.
`methods` semi-optional	A list of HTTP methods that match this Route.
`hosts` semi-optional	A list of domain names that match this Route. Note that the hosts value is case sensitive. With form-encoded, the notation is `hosts[]=example.com&hosts[]=foo.test`. With JSON, use an Array.
`paths` semi-optional	A list of paths that match this Route. With form-encoded, the notation is `paths[]=/foo&paths[]=/bar`. With JSON, use an array. The path can be a regular expression, or a plain text pattern. The path patterns are matched against a normalized path, with most percent-encoded characters decoded, path folding, and preserved semantics. For more details read rfc3986.
`headers` semi-optional	One or more lists of values indexed by header name that will cause this Route to match if present in the request. The `Host` header cannot be used with this attribute: hosts should be specified using the `hosts` attribute. When `headers` contains only one value and that value starts with the special prefix `~*`, the value is interpreted as a regular expression.
`https_redirect_status_code`	The status code Kong responds with when all properties of a Route match except the protocol i.e. if the protocol of the request is `HTTP` instead of `HTTPS`. `Location` header is injected by Kong if the field is set to 301, 302, 307 or 308. Note: This config applies only if the Route is configured to only accept the `https` protocol. Accepted values are: `426`, `301`, `302`, `307`, `308`. Default: `426`.
`regex_priority` optional	A number used to choose which route resolves a given request when several routes match it using regexes simultaneously. When two routes match the path and have the same `regex_priority`, the older one (lowest `created_at`) is used. Note that the priority for non-regex routes is different (longer non-regex routes are matched before shorter ones). Default: `0`.
`strip_path`	When matching a Route via one of the `paths`, strip the matching prefix from the upstream request URL. Default: `true`.
`path_handling` optional	Controls how the Service path, Route path and requested path are combined when sending a request to the upstream. See above for a detailed description of each behavior. Accepted values are: `"v0"`, `"v1"`. Default: `"v0"`.
`preserve_host`	When matching a Route via one of the `hosts` domain names, use the request `Host` header in the upstream request headers. If set to `false`, the upstream `Host` header will be that of the Service’s `host`.
`request_buffering`	Whether to enable request body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that receive data with chunked transfer encoding. Default: `true`.
`response_buffering`	Whether to enable response body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that send data with chunked transfer encoding. Default: `true`.
`snis` semi-optional	A list of SNIs that match this Route when using stream routing.
`sources` semi-optional	A list of IP sources of incoming connections that match this Route when using stream routing. Each entry is an object with fields “ip” (optionally in CIDR range notation) and/or “port”.
`destinations` semi-optional	A list of IP destinations of incoming connections that match this Route when using stream routing. Each entry is an object with fields “ip” (optionally in CIDR range notation) and/or “port”.
`tags` optional	An optional set of strings associated with the Route for grouping and filtering.
`service` optional	The Service this Route is associated to. This is where the Route proxies traffic to. With form-encoded, the notation is `service.id=<service id>` or `service.name=<service name>`. With JSON, use “`"service":{"id":"<service id>"}` or `"service":{"name":"<service name>"}`.

Inserts (or replaces) the Route under the requested resource with the definition specified in the body. The Route will be identified via the name or id attribute.

When the name or id attribute has the structure of a UUID, the Route being inserted/replaced will be identified by its id. Otherwise it will be identified by its name.

When creating a new Route without specifying id (neither in the URL nor in the body), then it will be auto-generated.

Notice that specifying a name in the URL and a different one in the request body is not allowed.

Response

HTTP 200 OK

Delete Route

Delete Route

/core-entities/routes/{route name or id}

Attributes	Description
`route name or id` required	The unique identifier or the name of the Route to delete.

Response

HTTP 204 No Content

Consumer Object

The Consumer object represents a consumer - or a user - of a Service. You can either rely on Kong as the primary datastore, or you can map the consumer list with your database to keep consistency between Kong and your existing primary datastore.

Consumers can be both tagged and filtered by tags.

{
    "id": "ec1a1f6f-2aa4-4e58-93ff-b56368f19b27",
    "created_at": 1422386534,
    "username": "my-username",
    "custom_id": "my-custom-id",
    "tags": ["user-level", "low-priority"]
}

Add Consumer

Create Consumer

/core-entities/consumers

Request Body

Attributes	Description
`username` semi-optional	The unique username of the Consumer. You must send either this field or `custom_id` with the request.
`custom_id` semi-optional	Field for storing an existing unique ID for the Consumer - useful for mapping Kong with users in your existing database. You must send either this field or `username` with the request.
`tags` optional	An optional set of strings associated with the Consumer for grouping and filtering.

Response

HTTP 201 Created

{
    "id": "ec1a1f6f-2aa4-4e58-93ff-b56368f19b27",
    "created_at": 1422386534,
    "username": "my-username",
    "custom_id": "my-custom-id",
    "tags": ["user-level", "low-priority"]
}

List Consumers

List All Consumers

/core-entities/consumers

Response

HTTP 200 OK

{
"data": [{
    "id": "a4407883-c166-43fd-80ca-3ca035b0cdb7",
    "created_at": 1422386534,
    "username": "my-username",
    "custom_id": "my-custom-id",
    "tags": ["user-level", "low-priority"]
}, {
    "id": "01c23299-839c-49a5-a6d5-8864c09184af",
    "created_at": 1422386534,
    "username": "my-username",
    "custom_id": "my-custom-id",
    "tags": ["admin", "high-priority", "critical"]
}],

    "next": "http://localhost:8001/consumers?offset=6378122c-a0a1-438d-a5c6-efabae9fb969"
}

Retrieve Consumer

/core-entities/consumers/{consumer username or id}

Attributes	Description
`consumer username or id` required	The unique identifier or the username of the Consumer to retrieve.

Response

HTTP 200 OK

{
    "id": "ec1a1f6f-2aa4-4e58-93ff-b56368f19b27",
    "created_at": 1422386534,
    "username": "my-username",
    "custom_id": "my-custom-id",
    "tags": ["user-level", "low-priority"]
}

Update Or Create Consumer

Create Or Update Consumer

/core-entities/consumers/{consumer username or id}

Attributes	Description
`consumer username or id` required	The unique identifier or the username of the Consumer to create or update.

Request Body

Attributes	Description
`username` semi-optional	The unique username of the Consumer. You must send either this field or `custom_id` with the request.
`custom_id` semi-optional	Field for storing an existing unique ID for the Consumer - useful for mapping Kong with users in your existing database. You must send either this field or `username` with the request.
`tags` optional	An optional set of strings associated with the Consumer for grouping and filtering.

Inserts (or replaces) the Consumer under the requested resource with the definition specified in the body. The Consumer will be identified via the username or id attribute.

When the username or id attribute has the structure of a UUID, the Consumer being inserted/replaced will be identified by its id. Otherwise it will be identified by its username.

When creating a new Consumer without specifying id (neither in the URL nor in the body), then it will be auto-generated.

Notice that specifying a username in the URL and a different one in the request body is not allowed.

Response

HTTP 200 OK

Delete Consumer

Delete Consumer

/core-entities/consumers/{consumer username or id}

Attributes	Description
`consumer username or id` required	The unique identifier or the username of the Consumer to delete.

Response

HTTP 204 No Content

Plugin Object

A Plugin entity represents a plugin configuration that will be executed during the HTTP request/response lifecycle. It is how you can add functionalities to Services that run behind Kong, like Authentication or Rate Limiting for example. You can find more information about how to install and what values each plugin takes by visiting the Kong Hub.

When adding a Plugin Configuration to a Service, every request made by a client to that Service will run said Plugin. If a Plugin needs to be tuned to different values for some specific Consumers, you can do so by creating a separate plugin instance that specifies both the Service and the Consumer, through the service and consumer fields.

Plugins can be both tagged and filtered by tags.

{
    "id": "ce44eef5-41ed-47f6-baab-f725cecf98c7",
    "name": "rate-limiting",
    "created_at": 1422386534,
    "route": null,
    "service": null,
    "consumer": null,
    "config": {"hour":500, "minute":20},
    "protocols": ["http", "https"],
    "enabled": true,
    "tags": ["user-level", "low-priority"],
    "ordering": {"before":["plugin-name"]}
}

See the Precedence section below for more details.

Precedence

A plugin will always be run once and only once per request. But the configuration with which it will run depends on the entities it has been configured for.

Example: if the rate-limiting plugin is applied twice (with different configurations): for a Service (Plugin config A), and for a Consumer (Plugin config B), then requests authenticating this Consumer will run Plugin config B and ignore A. However, requests that do not authenticate this Consumer will fallback to running Plugin config A. Note that if config B is disabled (its enabled flag is set to false), config A will apply to requests that would have otherwise matched config B.

Add Plugin

Create Plugin

/core-entities/plugins

Create Plugin Associated to a Specific Route

/core-entities/routes/{route name or id}/plugins

Attributes	Description
`route name or id` required	The unique identifier or the `name` attribute of the Route that should be associated to the newly-created Plugin.

Create Plugin Associated to a Specific Service

/core-entities/services/{service name or id}/plugins

Attributes	Description
`service name or id` required	The unique identifier or the `name` attribute of the Service that should be associated to the newly-created Plugin.

Create Plugin Associated to a Specific Consumer

/core-entities/consumers/{consumer name or id}/plugins

Attributes	Description
`consumer name or id` required	The unique identifier or the `name` attribute of the Consumer that should be associated to the newly-created Plugin.

Request Body

Attributes	Description
`name`	The name of the Plugin that’s going to be added. Currently, the Plugin must be installed in every Kong instance separately.
`route` optional	If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the Route being used. Default: `null`.With form-encoded, the notation is `route.id=<route id>` or `route.name=<route name>`. With JSON, use “`"route":{"id":"<route id>"}` or `"route":{"name":"<route name>"}`.
`service` optional	If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched. Default: `null`.With form-encoded, the notation is `service.id=<service id>` or `service.name=<service name>`. With JSON, use “`"service":{"id":"<service id>"}` or `"service":{"name":"<service name>"}`.
`consumer` optional	If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer. Default: `null`.With form-encoded, the notation is `consumer.id=<consumer id>` or `consumer.username=<consumer username>`. With JSON, use “`"consumer":{"id":"<consumer id>"}` or `"consumer":{"username":"<consumer username>"}`.
`config` optional	The configuration properties for the Plugin which can be found on the plugins documentation page in the Kong Hub.
`protocols`	A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support `"tcp"` and `"tls"`. Default: `["grpc", "grpcs", "http",` `"https"]`.
`enabled`	Whether the plugin is applied. Default: `true`.
`tags` optional	An optional set of strings associated with the Plugin for grouping and filtering.
`ordering` optional	Describes a dependency to another plugin to determine plugin ordering during the `access` phase. –`before`: The plugin will be executed before a specified plugin or list of plugins. – `after`: The plugin will be executed after a specified plugin or list of plugins.

Response

HTTP 201 Created

{
    "id": "ce44eef5-41ed-47f6-baab-f725cecf98c7",
    "name": "rate-limiting",
    "created_at": 1422386534,
    "route": null,
    "service": null,
    "consumer": null,
    "config": {"hour":500, "minute":20},
    "protocols": ["http", "https"],
    "enabled": true,
    "tags": ["user-level", "low-priority"],
    "ordering": {"before":["plugin-name"]}
}

List Plugins

List All Plugins

/core-entities/plugins

List Plugins Associated to a Specific Route

/core-entities/routes/{route name or id}/plugins

Attributes	Description
`route name or id` required	The unique identifier or the `name` attribute of the Route whose Plugins are to be retrieved. When using this endpoint, only Plugins associated to the specified Route will be listed.

List Plugins Associated to a Specific Service

/core-entities/services/{service name or id}/plugins

Attributes	Description
`service name or id` required	The unique identifier or the `name` attribute of the Service whose Plugins are to be retrieved. When using this endpoint, only Plugins associated to the specified Service will be listed.

List Plugins Associated to a Specific Consumer

/core-entities/consumers/{consumer name or id}/plugins

Attributes	Description
`consumer name or id` required	The unique identifier or the `name` attribute of the Consumer whose Plugins are to be retrieved. When using this endpoint, only Plugins associated to the specified Consumer will be listed.

Response

HTTP 200 OK

{
"data": [{
    "id": "02621eee-8309-4bf6-b36b-a82017a5393e",
    "name": "rate-limiting",
    "created_at": 1422386534,
    "route": null,
    "service": null,
    "consumer": null,
    "config": {"hour":500, "minute":20},
    "protocols": ["http", "https"],
    "enabled": true,
    "tags": ["user-level", "low-priority"],
    "ordering": {"before":["plugin-name"]}
}, {
    "id": "66c7b5c4-4aaf-4119-af1e-ee3ad75d0af4",
    "name": "rate-limiting",
    "created_at": 1422386534,
    "route": null,
    "service": null,
    "consumer": null,
    "config": {"hour":500, "minute":20},
    "protocols": ["tcp", "tls"],
    "enabled": true,
    "tags": ["admin", "high-priority", "critical"],
    "ordering": {"after":["plugin-name"]}
}],

    "next": "http://localhost:8001/plugins?offset=6378122c-a0a1-438d-a5c6-efabae9fb969"
}

Retrieve Plugin

/core-entities/plugins/{plugin id}

Attributes	Description
`plugin id` required	The unique identifier of the Plugin to retrieve.

Retrieve Plugin Associated to a Specific Route

/core-entities/routes/{route name or id}/plugins/{plugin id}

Attributes	Description
`route name or id` required	The unique identifier or the name of the Route to retrieve.
`plugin id` required	The unique identifier of the Plugin to retrieve.

Retrieve Plugin Associated to a Specific Service

/core-entities/services/{service name or id}/plugins/{plugin id}

Attributes	Description
`service name or id` required	The unique identifier or the name of the Service to retrieve.
`plugin id` required	The unique identifier of the Plugin to retrieve.

Retrieve Plugin Associated to a Specific Consumer

/core-entities/consumers/{consumer username or id}/plugins/{plugin id}

Attributes	Description
`consumer username or id` required	The unique identifier or the username of the Consumer to retrieve.
`plugin id` required	The unique identifier of the Plugin to retrieve.

Response

HTTP 200 OK

{
    "id": "ce44eef5-41ed-47f6-baab-f725cecf98c7",
    "name": "rate-limiting",
    "created_at": 1422386534,
    "route": null,
    "service": null,
    "consumer": null,
    "config": {"hour":500, "minute":20},
    "protocols": ["http", "https"],
    "enabled": true,
    "tags": ["user-level", "low-priority"],
    "ordering": {"before":["plugin-name"]}
}

Update Or Create Plugin

Create Or Update Plugin

/core-entities/plugins/{plugin id}

Attributes	Description
`plugin id` required	The unique identifier of the Plugin to create or update.

Create Or Update Plugin Associated to a Specific Route

/core-entities/routes/{route name or id}/plugins/{plugin id}

Attributes	Description
`route name or id` required	The unique identifier or the name of the Route to create or update.
`plugin id` required	The unique identifier of the Plugin to create or update.

Create Or Update Plugin Associated to a Specific Service

/core-entities/services/{service name or id}/plugins/{plugin id}

Attributes	Description
`service name or id` required	The unique identifier or the name of the Service to create or update.
`plugin id` required	The unique identifier of the Plugin to create or update.

Create Or Update Plugin Associated to a Specific Consumer

/core-entities/consumers/{consumer username or id}/plugins/{plugin id}

Attributes	Description
`consumer username or id` required	The unique identifier or the username of the Consumer to create or update.
`plugin id` required	The unique identifier of the Plugin to create or update.

Request Body

Attributes	Description
`name`	The name of the Plugin that’s going to be added. Currently, the Plugin must be installed in every Kong instance separately.
`route` optional	If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the Route being used. Default: `null`.With form-encoded, the notation is `route.id=<route id>` or `route.name=<route name>`. With JSON, use “`"route":{"id":"<route id>"}` or `"route":{"name":"<route name>"}`.
`service` optional	If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched. Default: `null`.With form-encoded, the notation is `service.id=<service id>` or `service.name=<service name>`. With JSON, use “`"service":{"id":"<service id>"}` or `"service":{"name":"<service name>"}`.
`consumer` optional	If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer. Default: `null`.With form-encoded, the notation is `consumer.id=<consumer id>` or `consumer.username=<consumer username>`. With JSON, use “`"consumer":{"id":"<consumer id>"}` or `"consumer":{"username":"<consumer username>"}`.
`config` optional	The configuration properties for the Plugin which can be found on the plugins documentation page in the Kong Hub.
`protocols`	A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support `"tcp"` and `"tls"`. Default: `["grpc", "grpcs", "http",` `"https"]`.
`enabled`	Whether the plugin is applied. Default: `true`.
`tags` optional	An optional set of strings associated with the Plugin for grouping and filtering.
`ordering` optional	Describes a dependency to another plugin to determine plugin ordering during the `access` phase. –`before`: The plugin will be executed before a specified plugin or list of plugins. – `after`: The plugin will be executed after a specified plugin or list of plugins.

Inserts (or replaces) the Plugin under the requested resource with the definition specified in the body. The Plugin will be identified via the name or id attribute.

When the name or id attribute has the structure of a UUID, the Plugin being inserted/replaced will be identified by its id. Otherwise it will be identified by its name.

When creating a new Plugin without specifying id (neither in the URL nor in the body), then it will be auto-generated.

Notice that specifying a name in the URL and a different one in the request body is not allowed.

Response

HTTP 200 OK

Delete Plugin

Delete Plugin

/core-entities/plugins/{plugin id}

Attributes	Description
`plugin id` required	The unique identifier of the Plugin to delete.

Delete Plugin Associated to a Specific Route

/core-entities/routes/{route name or id}/plugins/{plugin id}

Attributes	Description
`route name or id` required	The unique identifier or the name of the Route to delete.
`plugin id` required	The unique identifier of the Plugin to delete.

Delete Plugin Associated to a Specific Service

/core-entities/services/{service name or id}/plugins/{plugin id}

Attributes	Description
`service name or id` required	The unique identifier or the name of the Service to delete.
`plugin id` required	The unique identifier of the Plugin to delete.

Delete Plugin Associated to a Specific Consumer

/core-entities/consumers/{consumer username or id}/plugins/{plugin id}

Attributes	Description
`consumer username or id` required	The unique identifier or the username of the Consumer to delete.
`plugin id` required	The unique identifier of the Plugin to delete.

Response

HTTP 204 No Content

Certificate Object

A certificate object represents a public certificate, and can be optionally paired with the corresponding private key. These objects are used by Kong to handle SSL/TLS termination for encrypted requests, or for use as a trusted CA store when validating peer certificate of client/service. Certificates are optionally associated with SNI objects to tie a cert/key pair to one or more hostnames.

If intermediate certificates are required in addition to the main certificate, they should be concatenated together into one string according to the following order: main certificate on the top, followed by any intermediates.

Certificates can be both tagged and filtered by tags.

{
    "id": "7fca84d6-7d37-4a74-a7b0-93e576089a41",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "key": "-----BEGIN RSA PRIVATE KEY-----...",
    "cert_alt": "-----BEGIN CERTIFICATE-----...",
    "key_alt": "-----BEGIN EC PRIVATE KEY-----...",
    "tags": ["user-level", "low-priority"]
}

Add Certificate

Create Certificate

/core-entities/certificates

Request Body

Attributes	Description
`cert`	PEM-encoded public certificate chain of the SSL key pair. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`key`	PEM-encoded private key of the SSL key pair. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`cert_alt` optional	PEM-encoded public certificate chain of the alternate SSL key pair. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`key_alt` optional	PEM-encoded private key of the alternate SSL key pair. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`tags` optional	An optional set of strings associated with the Certificate for grouping and filtering.
`snis` shorthand-attribute	An array of zero or more hostnames to associate with this certificate as SNIs. This is a sugar parameter that will, under the hood, create an SNI object and associate it with this certificate for your convenience. To set this attribute this certificate must have a valid private key associated with it.

Response

HTTP 201 Created

{
    "id": "7fca84d6-7d37-4a74-a7b0-93e576089a41",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "key": "-----BEGIN RSA PRIVATE KEY-----...",
    "cert_alt": "-----BEGIN CERTIFICATE-----...",
    "key_alt": "-----BEGIN EC PRIVATE KEY-----...",
    "tags": ["user-level", "low-priority"]
}

List Certificates

List All Certificates

/core-entities/certificates

Response

HTTP 200 OK

{
"data": [{
    "id": "d044b7d4-3dc2-4bbc-8e9f-6b7a69416df6",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "key": "-----BEGIN RSA PRIVATE KEY-----...",
    "cert_alt": "-----BEGIN CERTIFICATE-----...",
    "key_alt": "-----BEGIN EC PRIVATE KEY-----...",
    "tags": ["user-level", "low-priority"]
}, {
    "id": "a9b2107f-a214-47b3-add4-46b942187924",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "key": "-----BEGIN RSA PRIVATE KEY-----...",
    "cert_alt": "-----BEGIN CERTIFICATE-----...",
    "key_alt": "-----BEGIN EC PRIVATE KEY-----...",
    "tags": ["admin", "high-priority", "critical"]
}],

    "next": "http://localhost:8001/certificates?offset=6378122c-a0a1-438d-a5c6-efabae9fb969"
}

Retrieve Certificate

/core-entities/certificates/{certificate id}

Attributes	Description
`certificate id` required	The unique identifier of the Certificate to retrieve.

Response

HTTP 200 OK

{
    "id": "7fca84d6-7d37-4a74-a7b0-93e576089a41",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "key": "-----BEGIN RSA PRIVATE KEY-----...",
    "cert_alt": "-----BEGIN CERTIFICATE-----...",
    "key_alt": "-----BEGIN EC PRIVATE KEY-----...",
    "tags": ["user-level", "low-priority"]
}

Update Certificate

Update Or Create Certificate

Create Or Update Certificate

/core-entities/certificates/{certificate id}

Attributes	Description
`certificate id` required	The unique identifier of the Certificate to create or update.

Request Body

Attributes	Description
`cert`	PEM-encoded public certificate chain of the SSL key pair. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`key`	PEM-encoded private key of the SSL key pair. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`cert_alt` optional	PEM-encoded public certificate chain of the alternate SSL key pair. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`key_alt` optional	PEM-encoded private key of the alternate SSL key pair. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`tags` optional	An optional set of strings associated with the Certificate for grouping and filtering.
`snis` shorthand-attribute	An array of zero or more hostnames to associate with this certificate as SNIs. This is a sugar parameter that will, under the hood, create an SNI object and associate it with this certificate for your convenience. To set this attribute this certificate must have a valid private key associated with it.

Inserts (or replaces) the Certificate under the requested resource with the definition specified in the body. The Certificate will be identified via the name or id attribute.

When the name or id attribute has the structure of a UUID, the Certificate being inserted/replaced will be identified by its id. Otherwise it will be identified by its name.

When creating a new Certificate without specifying id (neither in the URL nor in the body), then it will be auto-generated.

Notice that specifying a name in the URL and a different one in the request body is not allowed.

Response

HTTP 200 OK

Delete Certificate

Delete Certificate

/core-entities/certificates/{certificate id}

Attributes	Description
`certificate id` required	The unique identifier of the Certificate to delete.

Response

HTTP 204 No Content

CA Certificate Object

A CA certificate object represents a trusted CA. These objects are used by Kong to verify the validity of a client or server certificate.

CA Certificates can be both tagged and filtered by tags.

{
    "id": "04fbeacf-a9f1-4a5d-ae4a-b0407445db3f",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "cert_digest": "c641e28d77e93544f2fa87b2cf3f3d51...",
    "tags": ["user-level", "low-priority"]
}

Add CA Certificate

Create CA Certificate

/core-entities/ca_certificates

Request Body

Attributes	Description
`cert`	PEM-encoded public certificate of the CA.
`cert_digest` optional	SHA256 hex digest of the public certificate.
`tags` optional	An optional set of strings associated with the Certificate for grouping and filtering.

Response

HTTP 201 Created

{
    "id": "04fbeacf-a9f1-4a5d-ae4a-b0407445db3f",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "cert_digest": "c641e28d77e93544f2fa87b2cf3f3d51...",
    "tags": ["user-level", "low-priority"]
}

List CA Certificates

List All CA Certificates

/core-entities/ca_certificates

Response

HTTP 200 OK

{
"data": [{
    "id": "43429efd-b3a5-4048-94cb-5cc4029909bb",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "cert_digest": "c641e28d77e93544f2fa87b2cf3f3d51...",
    "tags": ["user-level", "low-priority"]
}, {
    "id": "d26761d5-83a4-4f24-ac6c-cff276f2b79c",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "cert_digest": "c641e28d77e93544f2fa87b2cf3f3d51...",
    "tags": ["admin", "high-priority", "critical"]
}],

    "next": "http://localhost:8001/ca_certificates?offset=6378122c-a0a1-438d-a5c6-efabae9fb969"
}

Retrieve CA Certificate

/core-entities/ca_certificates/{ca_certificate id}

Attributes	Description
`ca_certificate id` required	The unique identifier of the CA Certificate to retrieve.

Response

HTTP 200 OK

{
    "id": "04fbeacf-a9f1-4a5d-ae4a-b0407445db3f",
    "created_at": 1422386534,
    "cert": "-----BEGIN CERTIFICATE-----...",
    "cert_digest": "c641e28d77e93544f2fa87b2cf3f3d51...",
    "tags": ["user-level", "low-priority"]
}

Update CA Certificate

Update Or Create CA Certificate

Create Or Update CA Certificate

/core-entities/ca_certificates/{ca_certificate id}

Attributes	Description
`ca_certificate id` required	The unique identifier of the CA Certificate to create or update.

Request Body

Attributes	Description
`cert`	PEM-encoded public certificate of the CA.
`cert_digest` optional	SHA256 hex digest of the public certificate.
`tags` optional	An optional set of strings associated with the Certificate for grouping and filtering.

Inserts (or replaces) the CA Certificate under the requested resource with the definition specified in the body. The CA Certificate will be identified via the name or id attribute.

When the name or id attribute has the structure of a UUID, the CA Certificate being inserted/replaced will be identified by its id. Otherwise it will be identified by its name.

When creating a new CA Certificate without specifying id (neither in the URL nor in the body), then it will be auto-generated.

Notice that specifying a name in the URL and a different one in the request body is not allowed.

Response

HTTP 200 OK

Delete CA Certificate

Delete CA Certificate

/core-entities/ca_certificates/{ca_certificate id}

Attributes	Description
`ca_certificate id` required	The unique identifier of the CA Certificate to delete.

Response

HTTP 204 No Content

SNI Object

An SNI object represents a many-to-one mapping of hostnames to a certificate. That is, a certificate object can have many hostnames associated with it; when Kong receives an SSL request, it uses the SNI field in the Client Hello to lookup the certificate object based on the SNI associated with the certificate.

SNIs can be both tagged and filtered by tags.

{
    "id": "91020192-062d-416f-a275-9addeeaffaf2",
    "name": "my-sni",
    "created_at": 1422386534,
    "tags": ["user-level", "low-priority"],
    "certificate": {"id":"a2e013e8-7623-4494-a347-6d29108ff68b"}
}

Add SNI

Create SNI

/core-entities/snis

Create SNI Associated to a Specific Certificate

/core-entities/certificates/{certificate name or id}/snis

Attributes	Description
`certificate name or id` required	The unique identifier or the `name` attribute of the Certificate that should be associated to the newly-created SNI.

Request Body

Attributes	Description
`name`	The SNI name to associate with the given certificate.
`tags` optional	An optional set of strings associated with the SNIs for grouping and filtering.
`certificate`	The id (a UUID) of the certificate with which to associate the SNI hostname. The Certificate must have a valid private key associated with it to be used by the SNI object. With form-encoded, the notation is `certificate.id=<certificate id>`. With JSON, use “`"certificate":{"id":"<certificate id>"}`.

Response

HTTP 201 Created

{
    "id": "91020192-062d-416f-a275-9addeeaffaf2",
    "name": "my-sni",
    "created_at": 1422386534,
    "tags": ["user-level", "low-priority"],
    "certificate": {"id":"a2e013e8-7623-4494-a347-6d29108ff68b"}
}

List SNIs

List All SNIs

/core-entities/snis

List SNIs Associated to a Specific Certificate

/core-entities/certificates/{certificate name or id}/snis

Attributes	Description
`certificate name or id` required	The unique identifier or the `name` attribute of the Certificate whose SNIs are to be retrieved. When using this endpoint, only SNIs associated to the specified Certificate will be listed.

Response

HTTP 200 OK

{
"data": [{
    "id": "147f5ef0-1ed6-4711-b77f-489262f8bff7",
    "name": "my-sni",
    "created_at": 1422386534,
    "tags": ["user-level", "low-priority"],
    "certificate": {"id":"a3ad71a8-6685-4b03-a101-980a953544f6"}
}, {
    "id": "b87eb55d-69a1-41d2-8653-8d706eecefc0",
    "name": "my-sni",
    "created_at": 1422386534,
    "tags": ["admin", "high-priority", "critical"],
    "certificate": {"id":"4e8d95d4-40f2-4818-adcb-30e00c349618"}
}],

    "next": "http://localhost:8001/snis?offset=6378122c-a0a1-438d-a5c6-efabae9fb969"
}

Retrieve SNI

/core-entities/snis/{sni name or id}

Attributes	Description
`sni name or id` required	The unique identifier or the name of the SNI to retrieve.

Retrieve SNI Associated to a Specific Certificate

/core-entities/certificates/{certificate id}/snis/{sni name or id}

Attributes	Description
`certificate id` required	The unique identifier of the Certificate to retrieve.
`sni name or id` required	The unique identifier or the name of the SNI to retrieve.

Response

HTTP 200 OK

{
    "id": "91020192-062d-416f-a275-9addeeaffaf2",
    "name": "my-sni",
    "created_at": 1422386534,
    "tags": ["user-level", "low-priority"],
    "certificate": {"id":"a2e013e8-7623-4494-a347-6d29108ff68b"}
}

Update SNI

Update Or Create SNI

Create Or Update SNI

/core-entities/snis/{sni name or id}

Attributes	Description
`sni name or id` required	The unique identifier or the name of the SNI to create or update.

Create Or Update SNI Associated to a Specific Certificate

/core-entities/certificates/{certificate id}/snis/{sni name or id}

Attributes	Description
`certificate id` required	The unique identifier of the Certificate to create or update.
`sni name or id` required	The unique identifier or the name of the SNI to create or update.

Request Body

Attributes	Description
`name`	The SNI name to associate with the given certificate.
`tags` optional	An optional set of strings associated with the SNIs for grouping and filtering.
`certificate`	The id (a UUID) of the certificate with which to associate the SNI hostname. The Certificate must have a valid private key associated with it to be used by the SNI object. With form-encoded, the notation is `certificate.id=<certificate id>`. With JSON, use “`"certificate":{"id":"<certificate id>"}`.

Inserts (or replaces) the SNI under the requested resource with the definition specified in the body. The SNI will be identified via the name or id attribute.

When the name or id attribute has the structure of a UUID, the SNI being inserted/replaced will be identified by its id. Otherwise it will be identified by its name.

When creating a new SNI without specifying id (neither in the URL nor in the body), then it will be auto-generated.

Notice that specifying a name in the URL and a different one in the request body is not allowed.

Response

HTTP 200 OK

Delete SNI

Delete SNI

/core-entities/snis/{sni name or id}

Attributes	Description
`sni name or id` required	The unique identifier or the name of the SNI to delete.

Delete SNI Associated to a Specific Certificate

/core-entities/certificates/{certificate id}/snis/{sni name or id}

Attributes	Description
`certificate id` required	The unique identifier of the Certificate to delete.
`sni name or id` required	The unique identifier or the name of the SNI to delete.

Response

HTTP 204 No Content

Upstream Object

The upstream object represents a virtual hostname and can be used to loadbalance incoming requests over multiple services (targets). So for example an upstream named service.v1.xyz for a Service object whose host is service.v1.xyz. Requests for this Service would be proxied to the targets defined within the upstream.

An upstream also includes a [health checker][healthchecks], which is able to enable and disable targets based on their ability or inability to serve requests. The configuration for the health checker is stored in the upstream object, and applies to all of its targets.

Upstreams can be both tagged and filtered by tags.

{
    "id": "58c8ccbb-eafb-4566-991f-2ed4f678fa70",
    "created_at": 1422386534,
    "name": "my-upstream",
    "algorithm": "round-robin",
    "hash_on": "none",
    "hash_fallback": "none",
    "hash_on_cookie_path": "/",
    "slots": 10000,
    "healthchecks": {
        "passive": {
            "type": "http",
            "healthy": {
                "http_statuses": [200, 201, 202, 203, 204, 205, 206, 207, 208, 226, 300, 301, 302, 303, 304, 305, 306, 307, 308],
                "successes": 0
            },
            "unhealthy": {
                "http_statuses": [429, 500, 503],
                "timeouts": 0,
                "http_failures": 0,
                "tcp_failures": 0
            }
        },
        "active": {
            "https_verify_certificate": true,
            "healthy": {
                "http_statuses": [200, 302],
                "successes": 0,
                "interval": 0
            },
            "unhealthy": {
                "http_failures": 0,
                "http_statuses": [429, 404, 500, 501, 502, 503, 504, 505],
                "timeouts": 0,
                "tcp_failures": 0,
                "interval": 0
            },
            "type": "http",
            "concurrency": 10,
            "headers": [{"x-my-header":["foo", "bar"], "x-another-header":["bla"]}],
            "timeout": 1,
            "http_path": "/",
            "https_sni": "example.com"
        },
        "threshold": 0
    },
    "tags": ["user-level", "low-priority"],
    "host_header": "example.com",
    "client_certificate": {"id":"ea29aaa3-3b2d-488c-b90c-56df8e0dd8c6"},
    "use_srv_name": false
}

Add Upstream

Create Upstream

/core-entities/upstreams

Request Body

Attributes	Description
`name`	This is a hostname, which must be equal to the `host` of a Service.
`algorithm` optional	Which load balancing algorithm to use. Accepted values are: `"consistent-hashing"`, `"least-connections"`, `"round-robin"`. Default: `"round-robin"`.
`hash_on` optional	What to use as hashing input. Using `none` results in a weighted-round-robin scheme with no hashing. Accepted values are: `"none"`, `"consumer"`, `"ip"`, `"header"`, `"cookie"`, `"path"`, `"query_arg"`, `"uri_capture"`. Default: `"none"`.
`hash_fallback` optional	What to use as hashing input if the primary `hash_on` does not return a hash (eg. header is missing, or no Consumer identified). Not available if `hash_on` is set to `cookie`. Accepted values are: `"none"`, `"consumer"`, `"ip"`, `"header"`, `"cookie"`, `"path"`, `"query_arg"`, `"uri_capture"`. Default: `"none"`.
`hash_on_header` semi-optional	The header name to take the value from as hash input. Only required when `hash_on` is set to `header`.
`hash_fallback_header` semi-optional	The header name to take the value from as hash input. Only required when `hash_fallback` is set to `header`.
`hash_on_cookie` semi-optional	The cookie name to take the value from as hash input. Only required when `hash_on` or `hash_fallback` is set to `cookie`. If the specified cookie is not in the request, Kong will generate a value and set the cookie in the response.
`hash_on_cookie_path` semi-optional	The cookie path to set in the response headers. Only required when `hash_on` or `hash_fallback` is set to `cookie`. Default: `"/"`.
`hash_on_query_arg` semi-optional	The name of the query string argument to take the value from as hash input. Only required when `hash_on` is set to `query_arg`.
`hash_fallback_query_arg` semi-optional	The name of the query string argument to take the value from as hash input. Only required when `hash_fallback` is set to `query_arg`.
`hash_on_uri_capture` semi-optional	The name of the route URI capture to take the value from as hash input. Only required when `hash_on` is set to `uri_capture`.
`hash_fallback_uri_capture` semi-optional	The name of the route URI capture to take the value from as hash input. Only required when `hash_fallback` is set to `uri_capture`.
`slots` optional	The number of slots in the load balancer algorithm. If `algorithm` is set to `round-robin`, this setting determines the maximum number of slots. If `algorithm` is set to `consistent-hashing`, this setting determines the actual number of slots in the algorithm. Accepts an integer in the range `10`-`65536`. Default: `10000`.
`healthchecks.passive.type` optional	Whether to perform passive health checks interpreting HTTP/HTTPS statuses, or just check for TCP connection success. In passive checks, `http` and `https` options are equivalent. Accepted values are: `"tcp"`, `"http"`, `"https"`, `"grpc"`, `"grpcs"`. Default: `"http"`.
`healthchecks.passive.healthy.http_statuses` optional	An array of HTTP statuses which represent healthiness when produced by proxied traffic, as observed by passive health checks. Default: `[200, 201, 202, 203, 204, 205,` `206, 207, 208, 226, 300, 301,` `302, 303, 304, 305, 306, 307,` `308]`. With form-encoded, the notation is `http_statuses[]=200&http_statuses[]=201`. With JSON, use an Array.
`healthchecks.passive.healthy.successes` optional	Number of successes in proxied traffic (as defined by `healthchecks.passive.healthy.http_statuses`) to consider a target healthy, as observed by passive health checks. Default: `0`.
`healthchecks.passive.unhealthy.http_statuses` optional	An array of HTTP statuses which represent unhealthiness when produced by proxied traffic, as observed by passive health checks. Default: `[429, 500, 503]`. With form-encoded, the notation is `http_statuses[]=429&http_statuses[]=500`. With JSON, use an Array.
`healthchecks.passive.unhealthy.timeouts` optional	Number of timeouts in proxied traffic to consider a target unhealthy, as observed by passive health checks. Default: `0`.
`healthchecks.passive.unhealthy.http_failures` optional	Number of HTTP failures in proxied traffic (as defined by `healthchecks.passive.unhealthy.http_statuses`) to consider a target unhealthy, as observed by passive health checks. Default: `0`.
`healthchecks.passive.unhealthy.tcp_failures` optional	Number of TCP failures in proxied traffic to consider a target unhealthy, as observed by passive health checks. Default: `0`.
`healthchecks.active.https_verify_certificate`	Whether to check the validity of the SSL certificate of the remote host when performing active health checks using HTTPS. Default: `true`.
`healthchecks.active.healthy.http_statuses` optional	An array of HTTP statuses to consider a success, indicating healthiness, when returned by a probe in active health checks. Default: `[200, 302]`. With form-encoded, the notation is `http_statuses[]=200&http_statuses[]=302`. With JSON, use an Array.
`healthchecks.active.healthy.successes` optional	Number of successes in active probes (as defined by `healthchecks.active.healthy.http_statuses`) to consider a target healthy. Default: `0`.
`healthchecks.active.healthy.interval` optional	Interval between active health checks for healthy targets (in seconds). A value of zero indicates that active probes for healthy targets should not be performed. Default: `0`.
`healthchecks.active.unhealthy.http_failures` optional	Number of HTTP failures in active probes (as defined by `healthchecks.active.unhealthy.http_statuses`) to consider a target unhealthy. Default: `0`.
`healthchecks.active.unhealthy.http_statuses` optional	An array of HTTP statuses to consider a failure, indicating unhealthiness, when returned by a probe in active health checks. Default: `[429, 404, 500, 501, 502, 503,` `504, 505]`. With form-encoded, the notation is `http_statuses[]=429&http_statuses[]=404`. With JSON, use an Array.
`healthchecks.active.unhealthy.timeouts` optional	Number of timeouts in active probes to consider a target unhealthy. Default: `0`.
`healthchecks.active.unhealthy.tcp_failures` optional	Number of TCP failures in active probes to consider a target unhealthy. Default: `0`.
`healthchecks.active.unhealthy.interval` optional	Interval between active health checks for unhealthy targets (in seconds). A value of zero indicates that active probes for unhealthy targets should not be performed. Default: `0`.
`healthchecks.active.type` optional	Whether to perform active health checks using HTTP or HTTPS, or just attempt a TCP connection. Accepted values are: `"tcp"`, `"http"`, `"https"`, `"grpc"`, `"grpcs"`. Default: `"http"`.
`healthchecks.active.concurrency` optional	Number of targets to check concurrently in active health checks. Default: `10`.
`healthchecks.active.headers` optional	One or more lists of values indexed by header name to use in GET HTTP request to run as a probe on active health checks. Values must be pre-formatted.
`healthchecks.active.timeout` optional	Socket timeout for active health checks (in seconds). Default: `1`.
`healthchecks.active.http_path` optional	Path to use in GET HTTP request to run as a probe on active health checks. Default: `"/"`.
`healthchecks.active.https_sni` optional	The hostname to use as an SNI (Server Name Identification) when performing active health checks using HTTPS. This is particularly useful when Targets are configured using IPs, so that the target host’s certificate can be verified with the proper SNI.
`healthchecks.threshold` optional	The minimum percentage of the upstream’s targets’ weight that must be available for the whole upstream to be considered healthy. Default: `0`.
`tags` optional	An optional set of strings associated with the Upstream for grouping and filtering.
`host_header` optional	The hostname to be used as `Host` header when proxying requests through Kong.
`client_certificate` optional	If set, the certificate to be used as client certificate while TLS handshaking to the upstream server.With form-encoded, the notation is `client_certificate.id=<client_certificate id>`. With JSON, use “`"client_certificate":{"id":"<client_certificate id>"}`.
`use_srv_name` optional	If set, the balancer will use SRV hostname(if DNS Answer has SRV record) as the proxy upstream `Host`.

Response

HTTP 201 Created

{
    "id": "58c8ccbb-eafb-4566-991f-2ed4f678fa70",
    "created_at": 1422386534,
    "name": "my-upstream",
    "algorithm": "round-robin",
    "hash_on": "none",
    "hash_fallback": "none",
    "hash_on_cookie_path": "/",
    "slots": 10000,
    "healthchecks": {
        "passive": {
            "type": "http",
            "healthy": {
                "http_statuses": [200, 201, 202, 203, 204, 205, 206, 207, 208, 226, 300, 301, 302, 303, 304, 305, 306, 307, 308],
                "successes": 0
            },
            "unhealthy": {
                "http_statuses": [429, 500, 503],
                "timeouts": 0,
                "http_failures": 0,
                "tcp_failures": 0
            }
        },
        "active": {
            "https_verify_certificate": true,
            "healthy": {
                "http_statuses": [200, 302],
                "successes": 0,
                "interval": 0
            },
            "unhealthy": {
                "http_failures": 0,
                "http_statuses": [429, 404, 500, 501, 502, 503, 504, 505],
                "timeouts": 0,
                "tcp_failures": 0,
                "interval": 0
            },
            "type": "http",
            "concurrency": 10,
            "headers": [{"x-my-header":["foo", "bar"], "x-another-header":["bla"]}],
            "timeout": 1,
            "http_path": "/",
            "https_sni": "example.com"
        },
        "threshold": 0
    },
    "tags": ["user-level", "low-priority"],
    "host_header": "example.com",
    "client_certificate": {"id":"ea29aaa3-3b2d-488c-b90c-56df8e0dd8c6"},
    "use_srv_name": false
}

List Upstreams

List All Upstreams

/core-entities/upstreams

Response

HTTP 200 OK

{
"data": [{
    "id": "4fe14415-73d5-4f00-9fbc-c72a0fccfcb2",
    "created_at": 1422386534,
    "name": "my-upstream",
    "algorithm": "round-robin",
    "hash_on": "none",
    "hash_fallback": "none",
    "hash_on_cookie_path": "/",
    "slots": 10000,
    "healthchecks": {
        "passive": {
            "type": "http",
            "healthy": {
                "http_statuses": [200, 201, 202, 203, 204, 205, 206, 207, 208, 226, 300, 301, 302, 303, 304, 305, 306, 307, 308],
                "successes": 0
            },
            "unhealthy": {
                "http_statuses": [429, 500, 503],
                "timeouts": 0,
                "http_failures": 0,
                "tcp_failures": 0
            }
        },
        "active": {
            "https_verify_certificate": true,
            "healthy": {
                "http_statuses": [200, 302],
                "successes": 0,
                "interval": 0
            },
            "unhealthy": {
                "http_failures": 0,
                "http_statuses": [429, 404, 500, 501, 502, 503, 504, 505],
                "timeouts": 0,
                "tcp_failures": 0,
                "interval": 0
            },
            "type": "http",
            "concurrency": 10,
            "headers": [{"x-my-header":["foo", "bar"], "x-another-header":["bla"]}],
            "timeout": 1,
            "http_path": "/",
            "https_sni": "example.com"
        },
        "threshold": 0
    },
    "tags": ["user-level", "low-priority"],
    "host_header": "example.com",
    "client_certificate": {"id":"a3395f66-2af6-4c79-bea2-1b6933764f80"},
    "use_srv_name": false
}, {
    "id": "885a0392-ef1b-4de3-aacf-af3f1697ce2c",
    "created_at": 1422386534,
    "name": "my-upstream",
    "algorithm": "round-robin",
    "hash_on": "none",
    "hash_fallback": "none",
    "hash_on_cookie_path": "/",
    "slots": 10000,
    "healthchecks": {
        "passive": {
            "type": "http",
            "healthy": {
                "http_statuses": [200, 201, 202, 203, 204, 205, 206, 207, 208, 226, 300, 301, 302, 303, 304, 305, 306, 307, 308],
                "successes": 0
            },
            "unhealthy": {
                "http_statuses": [429, 500, 503],
                "timeouts": 0,
                "http_failures": 0,
                "tcp_failures": 0
            }
        },
        "active": {
            "https_verify_certificate": true,
            "healthy": {
                "http_statuses": [200, 302],
                "successes": 0,
                "interval": 0
            },
            "unhealthy": {
                "http_failures": 0,
                "http_statuses": [429, 404, 500, 501, 502, 503, 504, 505],
                "timeouts": 0,
                "tcp_failures": 0,
                "interval": 0
            },
            "type": "http",
            "concurrency": 10,
            "headers": [{"x-my-header":["foo", "bar"], "x-another-header":["bla"]}],
            "timeout": 1,
            "http_path": "/",
            "https_sni": "example.com"
        },
        "threshold": 0
    },
    "tags": ["admin", "high-priority", "critical"],
    "host_header": "example.com",
    "client_certificate": {"id":"f5a9c0ca-bdbb-490f-8928-2ca95836239a"},
    "use_srv_name": false
}],

    "next": "http://localhost:8001/upstreams?offset=6378122c-a0a1-438d-a5c6-efabae9fb969"
}

Retrieve Upstream

/core-entities/upstreams/{upstream name or id}

Attributes	Description
`upstream name or id` required	The unique identifier or the name of the Upstream to retrieve.

Response

HTTP 200 OK

{
    "id": "58c8ccbb-eafb-4566-991f-2ed4f678fa70",
    "created_at": 1422386534,
    "name": "my-upstream",
    "algorithm": "round-robin",
    "hash_on": "none",
    "hash_fallback": "none",
    "hash_on_cookie_path": "/",
    "slots": 10000,
    "healthchecks": {
        "passive": {
            "type": "http",
            "healthy": {
                "http_statuses": [200, 201, 202, 203, 204, 205, 206, 207, 208, 226, 300, 301, 302, 303, 304, 305, 306, 307, 308],
                "successes": 0
            },
            "unhealthy": {
                "http_statuses": [429, 500, 503],
                "timeouts": 0,
                "http_failures": 0,
                "tcp_failures": 0
            }
        },
        "active": {
            "https_verify_certificate": true,
            "healthy": {
                "http_statuses": [200, 302],
                "successes": 0,
                "interval": 0
            },
            "unhealthy": {
                "http_failures": 0,
                "http_statuses": [429, 404, 500, 501, 502, 503, 504, 505],
                "timeouts": 0,
                "tcp_failures": 0,
                "interval": 0
            },
            "type": "http",
            "concurrency": 10,
            "headers": [{"x-my-header":["foo", "bar"], "x-another-header":["bla"]}],
            "timeout": 1,
            "http_path": "/",
            "https_sni": "example.com"
        },
        "threshold": 0
    },
    "tags": ["user-level", "low-priority"],
    "host_header": "example.com",
    "client_certificate": {"id":"ea29aaa3-3b2d-488c-b90c-56df8e0dd8c6"},
    "use_srv_name": false
}

Update Upstream

Update Or Create Upstream

Create Or Update Upstream

/core-entities/upstreams/{upstream name or id}

Attributes	Description
`upstream name or id` required	The unique identifier or the name of the Upstream to create or update.

Request Body

Attributes	Description
`name`	This is a hostname, which must be equal to the `host` of a Service.
`algorithm` optional	Which load balancing algorithm to use. Accepted values are: `"consistent-hashing"`, `"least-connections"`, `"round-robin"`. Default: `"round-robin"`.
`hash_on` optional	What to use as hashing input. Using `none` results in a weighted-round-robin scheme with no hashing. Accepted values are: `"none"`, `"consumer"`, `"ip"`, `"header"`, `"cookie"`, `"path"`, `"query_arg"`, `"uri_capture"`. Default: `"none"`.
`hash_fallback` optional	What to use as hashing input if the primary `hash_on` does not return a hash (eg. header is missing, or no Consumer identified). Not available if `hash_on` is set to `cookie`. Accepted values are: `"none"`, `"consumer"`, `"ip"`, `"header"`, `"cookie"`, `"path"`, `"query_arg"`, `"uri_capture"`. Default: `"none"`.
`hash_on_header` semi-optional	The header name to take the value from as hash input. Only required when `hash_on` is set to `header`.
`hash_fallback_header` semi-optional	The header name to take the value from as hash input. Only required when `hash_fallback` is set to `header`.
`hash_on_cookie` semi-optional	The cookie name to take the value from as hash input. Only required when `hash_on` or `hash_fallback` is set to `cookie`. If the specified cookie is not in the request, Kong will generate a value and set the cookie in the response.
`hash_on_cookie_path` semi-optional	The cookie path to set in the response headers. Only required when `hash_on` or `hash_fallback` is set to `cookie`. Default: `"/"`.
`hash_on_query_arg` semi-optional	The name of the query string argument to take the value from as hash input. Only required when `hash_on` is set to `query_arg`.
`hash_fallback_query_arg` semi-optional	The name of the query string argument to take the value from as hash input. Only required when `hash_fallback` is set to `query_arg`.
`hash_on_uri_capture` semi-optional	The name of the route URI capture to take the value from as hash input. Only required when `hash_on` is set to `uri_capture`.
`hash_fallback_uri_capture` semi-optional	The name of the route URI capture to take the value from as hash input. Only required when `hash_fallback` is set to `uri_capture`.
`slots` optional	The number of slots in the load balancer algorithm. If `algorithm` is set to `round-robin`, this setting determines the maximum number of slots. If `algorithm` is set to `consistent-hashing`, this setting determines the actual number of slots in the algorithm. Accepts an integer in the range `10`-`65536`. Default: `10000`.
`healthchecks.passive.type` optional	Whether to perform passive health checks interpreting HTTP/HTTPS statuses, or just check for TCP connection success. In passive checks, `http` and `https` options are equivalent. Accepted values are: `"tcp"`, `"http"`, `"https"`, `"grpc"`, `"grpcs"`. Default: `"http"`.
`healthchecks.passive.healthy.http_statuses` optional	An array of HTTP statuses which represent healthiness when produced by proxied traffic, as observed by passive health checks. Default: `[200, 201, 202, 203, 204, 205,` `206, 207, 208, 226, 300, 301,` `302, 303, 304, 305, 306, 307,` `308]`. With form-encoded, the notation is `http_statuses[]=200&http_statuses[]=201`. With JSON, use an Array.
`healthchecks.passive.healthy.successes` optional	Number of successes in proxied traffic (as defined by `healthchecks.passive.healthy.http_statuses`) to consider a target healthy, as observed by passive health checks. Default: `0`.
`healthchecks.passive.unhealthy.http_statuses` optional	An array of HTTP statuses which represent unhealthiness when produced by proxied traffic, as observed by passive health checks. Default: `[429, 500, 503]`. With form-encoded, the notation is `http_statuses[]=429&http_statuses[]=500`. With JSON, use an Array.
`healthchecks.passive.unhealthy.timeouts` optional	Number of timeouts in proxied traffic to consider a target unhealthy, as observed by passive health checks. Default: `0`.
`healthchecks.passive.unhealthy.http_failures` optional	Number of HTTP failures in proxied traffic (as defined by `healthchecks.passive.unhealthy.http_statuses`) to consider a target unhealthy, as observed by passive health checks. Default: `0`.
`healthchecks.passive.unhealthy.tcp_failures` optional	Number of TCP failures in proxied traffic to consider a target unhealthy, as observed by passive health checks. Default: `0`.
`healthchecks.active.https_verify_certificate`	Whether to check the validity of the SSL certificate of the remote host when performing active health checks using HTTPS. Default: `true`.
`healthchecks.active.healthy.http_statuses` optional	An array of HTTP statuses to consider a success, indicating healthiness, when returned by a probe in active health checks. Default: `[200, 302]`. With form-encoded, the notation is `http_statuses[]=200&http_statuses[]=302`. With JSON, use an Array.
`healthchecks.active.healthy.successes` optional	Number of successes in active probes (as defined by `healthchecks.active.healthy.http_statuses`) to consider a target healthy. Default: `0`.
`healthchecks.active.healthy.interval` optional	Interval between active health checks for healthy targets (in seconds). A value of zero indicates that active probes for healthy targets should not be performed. Default: `0`.
`healthchecks.active.unhealthy.http_failures` optional	Number of HTTP failures in active probes (as defined by `healthchecks.active.unhealthy.http_statuses`) to consider a target unhealthy. Default: `0`.
`healthchecks.active.unhealthy.http_statuses` optional	An array of HTTP statuses to consider a failure, indicating unhealthiness, when returned by a probe in active health checks. Default: `[429, 404, 500, 501, 502, 503,` `504, 505]`. With form-encoded, the notation is `http_statuses[]=429&http_statuses[]=404`. With JSON, use an Array.
`healthchecks.active.unhealthy.timeouts` optional	Number of timeouts in active probes to consider a target unhealthy. Default: `0`.
`healthchecks.active.unhealthy.tcp_failures` optional	Number of TCP failures in active probes to consider a target unhealthy. Default: `0`.
`healthchecks.active.unhealthy.interval` optional	Interval between active health checks for unhealthy targets (in seconds). A value of zero indicates that active probes for unhealthy targets should not be performed. Default: `0`.
`healthchecks.active.type` optional	Whether to perform active health checks using HTTP or HTTPS, or just attempt a TCP connection. Accepted values are: `"tcp"`, `"http"`, `"https"`, `"grpc"`, `"grpcs"`. Default: `"http"`.
`healthchecks.active.concurrency` optional	Number of targets to check concurrently in active health checks. Default: `10`.
`healthchecks.active.headers` optional	One or more lists of values indexed by header name to use in GET HTTP request to run as a probe on active health checks. Values must be pre-formatted.
`healthchecks.active.timeout` optional	Socket timeout for active health checks (in seconds). Default: `1`.
`healthchecks.active.http_path` optional	Path to use in GET HTTP request to run as a probe on active health checks. Default: `"/"`.
`healthchecks.active.https_sni` optional	The hostname to use as an SNI (Server Name Identification) when performing active health checks using HTTPS. This is particularly useful when Targets are configured using IPs, so that the target host’s certificate can be verified with the proper SNI.
`healthchecks.threshold` optional	The minimum percentage of the upstream’s targets’ weight that must be available for the whole upstream to be considered healthy. Default: `0`.
`tags` optional	An optional set of strings associated with the Upstream for grouping and filtering.
`host_header` optional	The hostname to be used as `Host` header when proxying requests through Kong.
`client_certificate` optional	If set, the certificate to be used as client certificate while TLS handshaking to the upstream server.With form-encoded, the notation is `client_certificate.id=<client_certificate id>`. With JSON, use “`"client_certificate":{"id":"<client_certificate id>"}`.
`use_srv_name` optional	If set, the balancer will use SRV hostname(if DNS Answer has SRV record) as the proxy upstream `Host`.

Inserts (or replaces) the Upstream under the requested resource with the definition specified in the body. The Upstream will be identified via the name or id attribute.

When the name or id attribute has the structure of a UUID, the Upstream being inserted/replaced will be identified by its id. Otherwise it will be identified by its name.

When creating a new Upstream without specifying id (neither in the URL nor in the body), then it will be auto-generated.

Notice that specifying a name in the URL and a different one in the request body is not allowed.

Response

HTTP 200 OK

Delete Upstream

Delete Upstream

/core-entities/upstreams/{upstream name or id}

Attributes	Description
`upstream name or id` required	The unique identifier or the name of the Upstream to delete.

Response

HTTP 204 No Content

Target Object

A target is an ip address/hostname with a port that identifies an instance of a backend service. Every upstream can have many targets, and the targets can be dynamically added, modified, or deleted. Changes take effect on the fly.

To disable a target, post a new one with weight=0; alternatively, use the DELETE convenience method to accomplish the same.

The current target object definition is the one with the latest created_at.

Targets can be both tagged and filtered by tags.

{
    "id": "173a6cee-90d1-40a7-89cf-0329eca780a6",
    "created_at": 1422386534,
    "upstream": {"id":"bdab0e47-4e37-4f0b-8fd0-87d95cc4addc"},
    "target": "example.com:8000",
    "weight": 100,
    "tags": ["user-level", "low-priority"]
}

Delete Target

Remove a target from the load balancer.

/core-entities/upstreams/{upstream name or id}/targets/{host:port or id}

Attributes	Description
`upstream name or id` required	The unique identifier or the name of the upstream for which to delete the target.
`host:port or id` required	The host:port combination element of the target to remove, or the `id` of an existing target entry.

Response

HTTP 204 No Content

List All Targets

Lists all targets of the upstream. Multiple target objects for the same target may be returned, showing the history of changes for a specific target. The target object with the latest created_at is the current definition.

/upstreams/{name or id}/targets/all

Attributes	Description
`name or id` required	The unique identifier or the name of the upstream for which to list the targets.

Response

HTTP 200 OK

{
    "total": 2,
    "data": [
        {
            "created_at": 1485524883980,
            "id": "18c0ad90-f942-4098-88db-bbee3e43b27f",
            "target": "127.0.0.1:20000",
            "upstream_id": "07131005-ba30-4204-a29f-0927d53257b4",
            "weight": 100
        },
        {
            "created_at": 1485524914883,
            "id": "6c6f34eb-e6c3-4c1f-ac58-4060e5bca890",
            "target": "127.0.0.1:20002",
            "upstream_id": "07131005-ba30-4204-a29f-0927d53257b4",
            "weight": 200
        }
    ]
}

Vaults Entity

Vault entities are used to configure different Vault connectors. Examples of Vaults are Environment Variables, Hashicorp Vault and AWS Secrets Manager.

Configuring a Vault allows referencing the secrets with other entities. For example a certificate entity can store a reference to a certificate and key, stored in a vault, instead of storing the certificate and key within the entity. This allows a proper separation of secrets and configuration and prevents secret sprawl.

Vaults can be both tagged and filtered by tags.

{
    "id": "B2A30E8F-C542-49CF-8015-FB674987D1A5",
    "prefix": "env",
    "name": "env",
    "description": "This vault is used to retrieve redis database access credentials",
    "config": {"prefix":"SSL_"},
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "tags": ["database-credentials", "data-plane"]
}

Add Vault

Create Vault

/core-entities/vaults

Request Body

Attributes	Description
`prefix`	The unique prefix (or identifier) for this Vault configuration. The prefix is used to load the right Vault configuration and implementation when referencing secrets with the other entities.
`name`	The name of the Vault that’s going to be added. Currently, the Vault implementation must be installed in every Kong instance.
`description` optional	The description of the Vault entity.
`config` optional	The configuration properties for the Vault which can be found on the vaults’ documentation page.
`tags` optional	An optional set of strings associated with the Vault for grouping and filtering.

Response

HTTP 201 Created

{
    "id": "B2A30E8F-C542-49CF-8015-FB674987D1A5",
    "prefix": "env",
    "name": "env",
    "description": "This vault is used to retrieve redis database access credentials",
    "config": {"prefix":"SSL_"},
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "tags": ["database-credentials", "data-plane"]
}

List Vaults

List All Vaults

/core-entities/vaults

Response

HTTP 200 OK

{
"data": [{
    "id": "518BBE43-2454-4559-99B0-8E7D1CD3E8C8",
    "prefix": "env",
    "name": "env",
    "description": "This vault is used to retrieve redis database access credentials",
    "config": {"prefix":"SSL_"},
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "tags": ["database-credentials", "data-plane"]
}, {
    "id": "7C4747E9-E831-4ED8-9377-83A6F8A37603",
    "prefix": "env",
    "name": "env",
    "description": "This vault is used to retrieve redis database access credentials",
    "config": {"prefix":"SSL_"},
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "tags": ["certificates", "critical"]
}],

    "next": "http://localhost:8001/vaults?offset=6378122c-a0a1-438d-a5c6-efabae9fb969"
}

Retrieve Vault

/core-entities/vaults/{vault prefix or id}

Attributes	Description
`vault prefix or id` required	The unique identifier or the prefix of the Vault to retrieve.

Response

HTTP 200 OK

{
    "id": "B2A30E8F-C542-49CF-8015-FB674987D1A5",
    "prefix": "env",
    "name": "env",
    "description": "This vault is used to retrieve redis database access credentials",
    "config": {"prefix":"SSL_"},
    "created_at": 1422386534,
    "updated_at": 1422386534,
    "tags": ["database-credentials", "data-plane"]
}

Update Vault

Update Or Create Vault

Create Or Update Vault

/core-entities/vaults/{vault prefix or id}

Attributes	Description
`vault prefix or id` required	The unique identifier or the prefix of the Vault to create or update.

Request Body

Attributes	Description
`prefix`	The unique prefix (or identifier) for this Vault configuration. The prefix is used to load the right Vault configuration and implementation when referencing secrets with the other entities.
`name`	The name of the Vault that’s going to be added. Currently, the Vault implementation must be installed in every Kong instance.
`description` optional	The description of the Vault entity.
`config` optional	The configuration properties for the Vault which can be found on the vaults’ documentation page.
`tags` optional	An optional set of strings associated with the Vault for grouping and filtering.

Inserts (or replaces) the Vault under the requested resource with the definition specified in the body. The Vault will be identified via the prefix or id attribute.

When the prefix or id attribute has the structure of a UUID, the Vault being inserted/replaced will be identified by its id. Otherwise it will be identified by its prefix.

When creating a new Vault without specifying id (neither in the URL nor in the body), then it will be auto-generated.

Notice that specifying a prefix in the URL and a different one in the request body is not allowed.

Response

HTTP 200 OK

Delete Vault

Delete Vault

/core-entities/vaults/{vault prefix or id}

Attributes	Description
`vault prefix or id` required	The unique identifier or the prefix of the Vault to delete.

Response

HTTP 204 No Content