Edit this page
Report an issuePlugin Ordering Reference
This document contains reference information about dynamic plugin ordering and plugin execution order in Konnect.
Dynamic plugin ordering
By default, plugins execution order is static. You can override the static priority for any Konnect plugin by using each plugin’s
dynamic plugin ordering settings field. This determines plugin ordering during the access phase,
and lets you create dynamic dependencies between plugins.
To configure this setting in Konnect, go to Gateway Manager > Plugins, and then select Configure Dynamic Ordering from the context menu next to the plugin you want to configure. From the plugin ordering settings, you can configure whether a plugin runs before or after another plugin.
Note: There are limitations to dynamic plugin ordering. Particularly, dynamic plugin ordering can’t coexist with consumer-scoped plugins, even if they are applied to entirely different service and route pairs, or are running globally. For more information, see Known Limitations in Dynamic Plugin Ordering.
Plugin execution order
The order in which plugins are executed in Konnect is determined by their static priority. As the name suggests, this value is static and can’t be easily changed by the user.
The following list includes all plugins bundled with a Konnect Enterprise subscription.
The current order of execution for the bundled plugins is:
| Plugin | Priority |
|---|---|
| pre-function | 1000000 |
| app-dynamics | 999999 |
| correlation-id | 100001 |
| zipkin | 100000 |
| exit-transformer | 9999 |
| bot-detection | 2500 |
| cors | 2000 |
| jwe-decrypt | 1999 |
| session | 1900 |
| acme | 1705 |
| oauth2-introspection | 1700 |
| mtls-auth | 1600 |
| degraphql | 1500 |
| jwt | 1450 |
| oauth2 | 1400 |
| vault-auth | 1350 |
| key-auth | 1250 |
| key-auth-enc | 1250 |
| ldap-auth | 1200 |
| ldap-auth-advanced | 1200 |
| basic-auth | 1100 |
| openid-connect | 1050 |
| hmac-auth | 1030 |
| jwt-signer | 1020 |
| saml | 1010 |
| header-cert-auth | 1009 |
| json-threat-protection | 1009 |
| xml-threat-protection | 1008 |
| injection-protection | 1007 |
| websocket-validator | 1006 |
| websocket-size-limit | 1003 |
| request-validator | 999 |
| grpc-gateway | 998 |
| tls-handshake-modifier | 997 |
| tls-metadata-headers | 996 |
| ip-restriction | 990 |
| request-size-limiting | 951 |
| acl | 950 |
| opa | 920 |
| service-protection | 915 |
| rate-limiting | 910 |
| rate-limiting-advanced | 910 |
| ai-rate-limiting-advanced | 905 |
| graphql-rate-limiting-advanced | 902 |
| response-ratelimiting | 900 |
| route-by-header | 850 |
| oas-validation | 840 |
| request-callout | 812 |
| jq | 811 |
| request-transformer-advanced | 802 |
| request-transformer | 801 |
| response-transformer | 800 |
| response-transformer-advanced | 800 |
| route-transformer-advanced | 780 |
| redirect | 779 |
| ai-rag-injector | 778 |
| ai-request-transformer | 777 |
| ai-sanitizer | 776 |
| ai-semantic-prompt-guard | 775 |
| ai-azure-content-safety | 774 |
| ai-prompt-template | 773 |
| ai-prompt-decorator | 772 |
| ai-prompt-guard | 771 |
| ai-proxy | 770 |
| ai-proxy-advanced | 770 |
| ai-response-transformer | 768 |
| ai-semantic-cache | 765 |
| standard-webhooks | 760 |
| upstream-oauth | 760 |
| confluent-consume | 754 |
| kafka-consume | 753 |
| confluent | 752 |
| kafka-upstream | 751 |
| aws-lambda | 750 |
| azure-functions | 749 |
| upstream-timeout | 400 |
| proxy-cache | 100 |
| proxy-cache-advanced | 100 |
| graphql-proxy-cache-advanced | 99 |
| forward-proxy | 50 |
| canary | 20 |
| opentelemetry | 14 |
| prometheus | 13 |
| http-log | 12 |
| statsd | 11 |
| statsd-advanced | 11 |
| datadog | 10 |
| file-log | 9 |
| udp-log | 8 |
| tcp-log | 7 |
| loggly | 6 |
| kafka-log | 5 |
| syslog | 4 |
| grpc-web | 3 |
| request-termination | 2 |
| mocking | -1 |
| post-function | -1000 |
