Version: latest

Plugins

A Plugin is a modular component that intercepts and modifies the request and response flow through the gateway. API7 Gateway includes over 100 enterprise-grade plugins for authentication, traffic control, observability, security, and AI capabilities.

Plugin execution

Plugins are executed in a specific order based on their Priority. A plugin with a higher priority number runs before a plugin with a lower priority number. This ensures that essential functions like authentication are completed before traffic control or proxying.

Plugin scopes

You can apply plugins at different levels of the configuration hierarchy:

Route level: Applied to a specific route. Only affects traffic matching that route.
Service level: Applied to a Service Template. Affects all routes within that service.
Consumer level: Applied to a specific Consumer. Affects all traffic identified as belonging to that consumer.
Global Rule: Applied to an entire Gateway Group. Affects all routes managed by that group.

Plugin categories

API7 Gateway categorizes plugins by their primary function. The following table provides examples of commonly used enterprise plugins:

Category	Examples
Authentication	`key-auth`, `jwt-auth`, `basic-auth`, `hmac-auth`, `openid-connect`, `ldap-auth`, `multi-auth`
Traffic Control	`limit-count`, `limit-req`, `limit-conn`, `limit-count-advanced`, `api-breaker`, `traffic-split`
Transformation	`proxy-rewrite`, `response-rewrite`, `body-transformer`, `grpc-transcode`
Observability	`prometheus`, `opentelemetry`, `http-logger`, `kafka-logger`, `loki-logger`, `splunk-hec-logging`
Security	`cors`, `ip-restriction`, `ua-restriction`, `consumer-restriction`, `csrf`, `data-mask`, `opa`, `chaitin-waf`
AI Gateway	`ai-proxy`, `ai-proxy-multi`, `ai-rate-limiting`, `ai-rag`, `ai-prompt-template`, `ai-prompt-guard`
Serverless	`aws-lambda`, `azure-functions`, `serverless-pre-function`, `serverless-post-function`

Plugin Metadata

Some plugins require shared configuration across all instances of that plugin type. This is managed via Plugin Metadata. For example, you can define a shared Kafka broker address in the kafka-logger metadata, which all instances of the plugin will then use.

Configuration example

Plugins are defined as key-value pairs where the key is the plugin name and the value is the configuration object.

Admin API
ADC

curl -k "https://localhost:7443/api/v1/services/{service_id}" -X PATCH \
  -H "X-API-KEY: ${API_KEY}" \
  -d '{
    "plugins": {
      "limit-count": {
        "count": 100,
        "time_window": 60,
        "rejected_code": 429
      }
    }
  }'

services:
  - name: user-service
    plugins:
      limit-count:
        count: 100
        time_window: 60
        rejected_code: 429

Next steps

Configure Rate Limiting — protect your services from traffic spikes.
Develop Custom Lua Plugins — extend the gateway with your own logic.
Services and Routes — learn how plugins attach to services and routes.

Plugin execution​

Plugin scopes​

Plugin categories​

Plugin Metadata​

Configuration example​

Next steps​