Viewing docs for konnect 3.14.0
published on Friday, Apr 24, 2026 by kong
published on Friday, Apr 24, 2026 by kong
Viewing docs for konnect 3.14.0
published on Friday, Apr 24, 2026 by kong
published on Friday, Apr 24, 2026 by kong
GatewayPluginAiMcpOauth2 Resource
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as konnect from "@pulumi/konnect";
const myGatewaypluginaimcpoauth2 = new konnect.GatewayPluginAiMcpOauth2("my_gatewaypluginaimcpoauth2", {
condition: "...my_condition...",
config: {
args: {
key: "value",
},
authorizationServers: ["..."],
cacheIntrospection: true,
claimToHeaders: [{
claim: "...my_claim...",
header: "...my_header...",
}],
clientAlg: "HS384",
clientAuth: "none",
clientId: "...my_client_id...",
clientJwk: "...my_client_jwk...",
clientSecret: "...my_client_secret...",
consumerBies: ["custom_id"],
consumerClaims: ["..."],
consumerGroupsClaims: ["..."],
consumerGroupsOptional: false,
consumerOptional: false,
credentialClaims: ["..."],
headers: {
key: "value",
},
httpProxy: "...my_http_proxy...",
httpProxyAuthorization: "...my_http_proxy_authorization...",
httpVersion: 9.95,
httpsProxy: "...my_https_proxy...",
httpsProxyAuthorization: "...my_https_proxy_authorization...",
insecureRelaxedAudienceValidation: false,
introspectionEndpoint: "...my_introspection_endpoint...",
introspectionFormat: "base64",
jwksCacheTtl: 3600,
jwksEndpoint: "...my_jwks_endpoint...",
jwtClaimsLeeway: 0,
keepalive: true,
maxRequestBodySize: 1048576,
metadataCacheTtl: 3600,
metadataDiscoveryEndpoint: "...my_metadata_discovery_endpoint...",
metadataDiscoveryRetry: 3,
metadataEndpoint: "...my_metadata_endpoint...",
mtlsIntrospectionEndpoint: "...my_mtls_introspection_endpoint...",
noProxy: "...my_no_proxy...",
passthroughCredentials: false,
resource: "...my_resource...",
scopesSupporteds: ["..."],
sslVerify: true,
timeout: 10000,
tlsClientAuthCert: "...my_tls_client_auth_cert...",
tlsClientAuthKey: "...my_tls_client_auth_key...",
tlsClientAuthSslVerify: true,
tokenExchange: {
cache: {
enabled: true,
ttl: 3600,
},
clientAuth: "client_secret_basic",
clientId: "...my_client_id...",
clientSecret: "...my_client_secret...",
enabled: false,
request: {
actorToken: "...my_actor_token...",
actorTokenHeader: "...my_actor_token_header...",
actorTokenSource: "none",
actorTokenType: "urn:ietf:params:oauth:token-type:access_token",
audiences: ["..."],
requestedTokenType: "urn:ietf:params:oauth:token-type:access_token",
resource: "...my_resource...",
scopes: ["..."],
subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
},
tokenEndpoint: "...my_token_endpoint...",
},
upstreamHeaders: [{
header: "...my_header...",
paths: ["..."],
}],
},
controlPlaneId: "9524ec7d-36d9-465d-a8c5-83a3c9390458",
createdAt: 6,
enabled: true,
gatewayPluginAiMcpOauth2Id: "...my_id...",
instanceName: "...my_instance_name...",
ordering: {
after: {
accesses: ["..."],
},
before: {
accesses: ["..."],
},
},
partials: [{
id: "...my_id...",
name: "...my_name...",
path: "...my_path...",
}],
protocols: ["grpc"],
route: {
id: "...my_id...",
},
service: {
id: "...my_id...",
},
tags: ["..."],
updatedAt: 4,
});
import pulumi
import pulumi_konnect as konnect
my_gatewaypluginaimcpoauth2 = konnect.GatewayPluginAiMcpOauth2("my_gatewaypluginaimcpoauth2",
condition="...my_condition...",
config={
"args": {
"key": "value",
},
"authorization_servers": ["..."],
"cache_introspection": True,
"claim_to_headers": [{
"claim": "...my_claim...",
"header": "...my_header...",
}],
"client_alg": "HS384",
"client_auth": "none",
"client_id": "...my_client_id...",
"client_jwk": "...my_client_jwk...",
"client_secret": "...my_client_secret...",
"consumer_bies": ["custom_id"],
"consumer_claims": ["..."],
"consumer_groups_claims": ["..."],
"consumer_groups_optional": False,
"consumer_optional": False,
"credential_claims": ["..."],
"headers": {
"key": "value",
},
"http_proxy": "...my_http_proxy...",
"http_proxy_authorization": "...my_http_proxy_authorization...",
"http_version": 9.95,
"https_proxy": "...my_https_proxy...",
"https_proxy_authorization": "...my_https_proxy_authorization...",
"insecure_relaxed_audience_validation": False,
"introspection_endpoint": "...my_introspection_endpoint...",
"introspection_format": "base64",
"jwks_cache_ttl": 3600,
"jwks_endpoint": "...my_jwks_endpoint...",
"jwt_claims_leeway": 0,
"keepalive": True,
"max_request_body_size": 1048576,
"metadata_cache_ttl": 3600,
"metadata_discovery_endpoint": "...my_metadata_discovery_endpoint...",
"metadata_discovery_retry": 3,
"metadata_endpoint": "...my_metadata_endpoint...",
"mtls_introspection_endpoint": "...my_mtls_introspection_endpoint...",
"no_proxy": "...my_no_proxy...",
"passthrough_credentials": False,
"resource": "...my_resource...",
"scopes_supporteds": ["..."],
"ssl_verify": True,
"timeout": 10000,
"tls_client_auth_cert": "...my_tls_client_auth_cert...",
"tls_client_auth_key": "...my_tls_client_auth_key...",
"tls_client_auth_ssl_verify": True,
"token_exchange": {
"cache": {
"enabled": True,
"ttl": 3600,
},
"client_auth": "client_secret_basic",
"client_id": "...my_client_id...",
"client_secret": "...my_client_secret...",
"enabled": False,
"request": {
"actor_token": "...my_actor_token...",
"actor_token_header": "...my_actor_token_header...",
"actor_token_source": "none",
"actor_token_type": "urn:ietf:params:oauth:token-type:access_token",
"audiences": ["..."],
"requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
"resource": "...my_resource...",
"scopes": ["..."],
"subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
},
"token_endpoint": "...my_token_endpoint...",
},
"upstream_headers": [{
"header": "...my_header...",
"paths": ["..."],
}],
},
control_plane_id="9524ec7d-36d9-465d-a8c5-83a3c9390458",
created_at=6,
enabled=True,
gateway_plugin_ai_mcp_oauth2_id="...my_id...",
instance_name="...my_instance_name...",
ordering={
"after": {
"accesses": ["..."],
},
"before": {
"accesses": ["..."],
},
},
partials=[{
"id": "...my_id...",
"name": "...my_name...",
"path": "...my_path...",
}],
protocols=["grpc"],
route={
"id": "...my_id...",
},
service={
"id": "...my_id...",
},
tags=["..."],
updated_at=4)
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/konnect/v3/konnect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := konnect.NewGatewayPluginAiMcpOauth2(ctx, "my_gatewaypluginaimcpoauth2", &konnect.GatewayPluginAiMcpOauth2Args{
Condition: pulumi.String("...my_condition..."),
Config: &konnect.GatewayPluginAiMcpOauth2ConfigArgs{
Args: pulumi.StringMap{
"key": pulumi.String("value"),
},
AuthorizationServers: pulumi.StringArray{
pulumi.String("..."),
},
CacheIntrospection: pulumi.Bool(true),
ClaimToHeaders: konnect.GatewayPluginAiMcpOauth2ConfigClaimToHeaderArray{
&konnect.GatewayPluginAiMcpOauth2ConfigClaimToHeaderArgs{
Claim: pulumi.String("...my_claim..."),
Header: pulumi.String("...my_header..."),
},
},
ClientAlg: pulumi.String("HS384"),
ClientAuth: pulumi.String("none"),
ClientId: pulumi.String("...my_client_id..."),
ClientJwk: pulumi.String("...my_client_jwk..."),
ClientSecret: pulumi.String("...my_client_secret..."),
ConsumerBies: pulumi.StringArray{
pulumi.String("custom_id"),
},
ConsumerClaims: pulumi.StringArray{
pulumi.String("..."),
},
ConsumerGroupsClaims: pulumi.StringArray{
pulumi.String("..."),
},
ConsumerGroupsOptional: pulumi.Bool(false),
ConsumerOptional: pulumi.Bool(false),
CredentialClaims: pulumi.StringArray{
pulumi.String("..."),
},
Headers: pulumi.StringMap{
"key": pulumi.String("value"),
},
HttpProxy: pulumi.String("...my_http_proxy..."),
HttpProxyAuthorization: pulumi.String("...my_http_proxy_authorization..."),
HttpVersion: pulumi.Float64(9.95),
HttpsProxy: pulumi.String("...my_https_proxy..."),
HttpsProxyAuthorization: pulumi.String("...my_https_proxy_authorization..."),
InsecureRelaxedAudienceValidation: pulumi.Bool(false),
IntrospectionEndpoint: pulumi.String("...my_introspection_endpoint..."),
IntrospectionFormat: pulumi.String("base64"),
JwksCacheTtl: pulumi.Float64(3600),
JwksEndpoint: pulumi.String("...my_jwks_endpoint..."),
JwtClaimsLeeway: pulumi.Float64(0),
Keepalive: pulumi.Bool(true),
MaxRequestBodySize: pulumi.Float64(1048576),
MetadataCacheTtl: pulumi.Float64(3600),
MetadataDiscoveryEndpoint: pulumi.String("...my_metadata_discovery_endpoint..."),
MetadataDiscoveryRetry: pulumi.Float64(3),
MetadataEndpoint: pulumi.String("...my_metadata_endpoint..."),
MtlsIntrospectionEndpoint: pulumi.String("...my_mtls_introspection_endpoint..."),
NoProxy: pulumi.String("...my_no_proxy..."),
PassthroughCredentials: pulumi.Bool(false),
Resource: pulumi.String("...my_resource..."),
ScopesSupporteds: pulumi.StringArray{
pulumi.String("..."),
},
SslVerify: pulumi.Bool(true),
Timeout: pulumi.Float64(10000),
TlsClientAuthCert: pulumi.String("...my_tls_client_auth_cert..."),
TlsClientAuthKey: pulumi.String("...my_tls_client_auth_key..."),
TlsClientAuthSslVerify: pulumi.Bool(true),
TokenExchange: &konnect.GatewayPluginAiMcpOauth2ConfigTokenExchangeArgs{
Cache: &konnect.GatewayPluginAiMcpOauth2ConfigTokenExchangeCacheArgs{
Enabled: pulumi.Bool(true),
Ttl: pulumi.Float64(3600),
},
ClientAuth: pulumi.String("client_secret_basic"),
ClientId: pulumi.String("...my_client_id..."),
ClientSecret: pulumi.String("...my_client_secret..."),
Enabled: pulumi.Bool(false),
Request: &konnect.GatewayPluginAiMcpOauth2ConfigTokenExchangeRequestArgs{
ActorToken: pulumi.String("...my_actor_token..."),
ActorTokenHeader: pulumi.String("...my_actor_token_header..."),
ActorTokenSource: pulumi.String("none"),
ActorTokenType: pulumi.String("urn:ietf:params:oauth:token-type:access_token"),
Audiences: pulumi.StringArray{
pulumi.String("..."),
},
RequestedTokenType: pulumi.String("urn:ietf:params:oauth:token-type:access_token"),
Resource: pulumi.String("...my_resource..."),
Scopes: pulumi.StringArray{
pulumi.String("..."),
},
SubjectTokenType: pulumi.String("urn:ietf:params:oauth:token-type:access_token"),
},
TokenEndpoint: pulumi.String("...my_token_endpoint..."),
},
UpstreamHeaders: konnect.GatewayPluginAiMcpOauth2ConfigUpstreamHeaderArray{
&konnect.GatewayPluginAiMcpOauth2ConfigUpstreamHeaderArgs{
Header: pulumi.String("...my_header..."),
Paths: pulumi.StringArray{
pulumi.String("..."),
},
},
},
},
ControlPlaneId: pulumi.String("9524ec7d-36d9-465d-a8c5-83a3c9390458"),
CreatedAt: pulumi.Float64(6),
Enabled: pulumi.Bool(true),
GatewayPluginAiMcpOauth2Id: pulumi.String("...my_id..."),
InstanceName: pulumi.String("...my_instance_name..."),
Ordering: &konnect.GatewayPluginAiMcpOauth2OrderingArgs{
After: &konnect.GatewayPluginAiMcpOauth2OrderingAfterArgs{
Accesses: pulumi.StringArray{
pulumi.String("..."),
},
},
Before: &konnect.GatewayPluginAiMcpOauth2OrderingBeforeArgs{
Accesses: pulumi.StringArray{
pulumi.String("..."),
},
},
},
Partials: konnect.GatewayPluginAiMcpOauth2PartialArray{
&konnect.GatewayPluginAiMcpOauth2PartialArgs{
Id: pulumi.String("...my_id..."),
Name: pulumi.String("...my_name..."),
Path: pulumi.String("...my_path..."),
},
},
Protocols: pulumi.StringArray{
pulumi.String("grpc"),
},
Route: &konnect.GatewayPluginAiMcpOauth2RouteArgs{
Id: pulumi.String("...my_id..."),
},
Service: &konnect.GatewayPluginAiMcpOauth2ServiceArgs{
Id: pulumi.String("...my_id..."),
},
Tags: pulumi.StringArray{
pulumi.String("..."),
},
UpdatedAt: pulumi.Float64(4),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Konnect = Pulumi.Konnect;
return await Deployment.RunAsync(() =>
{
var myGatewaypluginaimcpoauth2 = new Konnect.GatewayPluginAiMcpOauth2("my_gatewaypluginaimcpoauth2", new()
{
Condition = "...my_condition...",
Config = new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigArgs
{
Args =
{
{ "key", "value" },
},
AuthorizationServers = new[]
{
"...",
},
CacheIntrospection = true,
ClaimToHeaders = new[]
{
new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigClaimToHeaderArgs
{
Claim = "...my_claim...",
Header = "...my_header...",
},
},
ClientAlg = "HS384",
ClientAuth = "none",
ClientId = "...my_client_id...",
ClientJwk = "...my_client_jwk...",
ClientSecret = "...my_client_secret...",
ConsumerBies = new[]
{
"custom_id",
},
ConsumerClaims = new[]
{
"...",
},
ConsumerGroupsClaims = new[]
{
"...",
},
ConsumerGroupsOptional = false,
ConsumerOptional = false,
CredentialClaims = new[]
{
"...",
},
Headers =
{
{ "key", "value" },
},
HttpProxy = "...my_http_proxy...",
HttpProxyAuthorization = "...my_http_proxy_authorization...",
HttpVersion = 9.95,
HttpsProxy = "...my_https_proxy...",
HttpsProxyAuthorization = "...my_https_proxy_authorization...",
InsecureRelaxedAudienceValidation = false,
IntrospectionEndpoint = "...my_introspection_endpoint...",
IntrospectionFormat = "base64",
JwksCacheTtl = 3600,
JwksEndpoint = "...my_jwks_endpoint...",
JwtClaimsLeeway = 0,
Keepalive = true,
MaxRequestBodySize = 1048576,
MetadataCacheTtl = 3600,
MetadataDiscoveryEndpoint = "...my_metadata_discovery_endpoint...",
MetadataDiscoveryRetry = 3,
MetadataEndpoint = "...my_metadata_endpoint...",
MtlsIntrospectionEndpoint = "...my_mtls_introspection_endpoint...",
NoProxy = "...my_no_proxy...",
PassthroughCredentials = false,
Resource = "...my_resource...",
ScopesSupporteds = new[]
{
"...",
},
SslVerify = true,
Timeout = 10000,
TlsClientAuthCert = "...my_tls_client_auth_cert...",
TlsClientAuthKey = "...my_tls_client_auth_key...",
TlsClientAuthSslVerify = true,
TokenExchange = new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigTokenExchangeArgs
{
Cache = new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigTokenExchangeCacheArgs
{
Enabled = true,
Ttl = 3600,
},
ClientAuth = "client_secret_basic",
ClientId = "...my_client_id...",
ClientSecret = "...my_client_secret...",
Enabled = false,
Request = new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigTokenExchangeRequestArgs
{
ActorToken = "...my_actor_token...",
ActorTokenHeader = "...my_actor_token_header...",
ActorTokenSource = "none",
ActorTokenType = "urn:ietf:params:oauth:token-type:access_token",
Audiences = new[]
{
"...",
},
RequestedTokenType = "urn:ietf:params:oauth:token-type:access_token",
Resource = "...my_resource...",
Scopes = new[]
{
"...",
},
SubjectTokenType = "urn:ietf:params:oauth:token-type:access_token",
},
TokenEndpoint = "...my_token_endpoint...",
},
UpstreamHeaders = new[]
{
new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigUpstreamHeaderArgs
{
Header = "...my_header...",
Paths = new[]
{
"...",
},
},
},
},
ControlPlaneId = "9524ec7d-36d9-465d-a8c5-83a3c9390458",
CreatedAt = 6,
Enabled = true,
GatewayPluginAiMcpOauth2Id = "...my_id...",
InstanceName = "...my_instance_name...",
Ordering = new Konnect.Inputs.GatewayPluginAiMcpOauth2OrderingArgs
{
After = new Konnect.Inputs.GatewayPluginAiMcpOauth2OrderingAfterArgs
{
Accesses = new[]
{
"...",
},
},
Before = new Konnect.Inputs.GatewayPluginAiMcpOauth2OrderingBeforeArgs
{
Accesses = new[]
{
"...",
},
},
},
Partials = new[]
{
new Konnect.Inputs.GatewayPluginAiMcpOauth2PartialArgs
{
Id = "...my_id...",
Name = "...my_name...",
Path = "...my_path...",
},
},
Protocols = new[]
{
"grpc",
},
Route = new Konnect.Inputs.GatewayPluginAiMcpOauth2RouteArgs
{
Id = "...my_id...",
},
Service = new Konnect.Inputs.GatewayPluginAiMcpOauth2ServiceArgs
{
Id = "...my_id...",
},
Tags = new[]
{
"...",
},
UpdatedAt = 4,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.konnect.GatewayPluginAiMcpOauth2;
import com.pulumi.konnect.GatewayPluginAiMcpOauth2Args;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2ConfigArgs;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2ConfigTokenExchangeArgs;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2ConfigTokenExchangeCacheArgs;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2ConfigTokenExchangeRequestArgs;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2OrderingArgs;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2OrderingAfterArgs;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2OrderingBeforeArgs;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2PartialArgs;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2RouteArgs;
import com.pulumi.konnect.inputs.GatewayPluginAiMcpOauth2ServiceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myGatewaypluginaimcpoauth2 = new GatewayPluginAiMcpOauth2("myGatewaypluginaimcpoauth2", GatewayPluginAiMcpOauth2Args.builder()
.condition("...my_condition...")
.config(GatewayPluginAiMcpOauth2ConfigArgs.builder()
.args(Map.of("key", "value"))
.authorizationServers("...")
.cacheIntrospection(true)
.claimToHeaders(GatewayPluginAiMcpOauth2ConfigClaimToHeaderArgs.builder()
.claim("...my_claim...")
.header("...my_header...")
.build())
.clientAlg("HS384")
.clientAuth("none")
.clientId("...my_client_id...")
.clientJwk("...my_client_jwk...")
.clientSecret("...my_client_secret...")
.consumerBies("custom_id")
.consumerClaims("...")
.consumerGroupsClaims("...")
.consumerGroupsOptional(false)
.consumerOptional(false)
.credentialClaims("...")
.headers(Map.of("key", "value"))
.httpProxy("...my_http_proxy...")
.httpProxyAuthorization("...my_http_proxy_authorization...")
.httpVersion(9.95)
.httpsProxy("...my_https_proxy...")
.httpsProxyAuthorization("...my_https_proxy_authorization...")
.insecureRelaxedAudienceValidation(false)
.introspectionEndpoint("...my_introspection_endpoint...")
.introspectionFormat("base64")
.jwksCacheTtl(3600.0)
.jwksEndpoint("...my_jwks_endpoint...")
.jwtClaimsLeeway(0.0)
.keepalive(true)
.maxRequestBodySize(1048576.0)
.metadataCacheTtl(3600.0)
.metadataDiscoveryEndpoint("...my_metadata_discovery_endpoint...")
.metadataDiscoveryRetry(3.0)
.metadataEndpoint("...my_metadata_endpoint...")
.mtlsIntrospectionEndpoint("...my_mtls_introspection_endpoint...")
.noProxy("...my_no_proxy...")
.passthroughCredentials(false)
.resource("...my_resource...")
.scopesSupporteds("...")
.sslVerify(true)
.timeout(10000.0)
.tlsClientAuthCert("...my_tls_client_auth_cert...")
.tlsClientAuthKey("...my_tls_client_auth_key...")
.tlsClientAuthSslVerify(true)
.tokenExchange(GatewayPluginAiMcpOauth2ConfigTokenExchangeArgs.builder()
.cache(GatewayPluginAiMcpOauth2ConfigTokenExchangeCacheArgs.builder()
.enabled(true)
.ttl(3600.0)
.build())
.clientAuth("client_secret_basic")
.clientId("...my_client_id...")
.clientSecret("...my_client_secret...")
.enabled(false)
.request(GatewayPluginAiMcpOauth2ConfigTokenExchangeRequestArgs.builder()
.actorToken("...my_actor_token...")
.actorTokenHeader("...my_actor_token_header...")
.actorTokenSource("none")
.actorTokenType("urn:ietf:params:oauth:token-type:access_token")
.audiences("...")
.requestedTokenType("urn:ietf:params:oauth:token-type:access_token")
.resource("...my_resource...")
.scopes("...")
.subjectTokenType("urn:ietf:params:oauth:token-type:access_token")
.build())
.tokenEndpoint("...my_token_endpoint...")
.build())
.upstreamHeaders(GatewayPluginAiMcpOauth2ConfigUpstreamHeaderArgs.builder()
.header("...my_header...")
.paths("...")
.build())
.build())
.controlPlaneId("9524ec7d-36d9-465d-a8c5-83a3c9390458")
.createdAt(6.0)
.enabled(true)
.gatewayPluginAiMcpOauth2Id("...my_id...")
.instanceName("...my_instance_name...")
.ordering(GatewayPluginAiMcpOauth2OrderingArgs.builder()
.after(GatewayPluginAiMcpOauth2OrderingAfterArgs.builder()
.accesses("...")
.build())
.before(GatewayPluginAiMcpOauth2OrderingBeforeArgs.builder()
.accesses("...")
.build())
.build())
.partials(GatewayPluginAiMcpOauth2PartialArgs.builder()
.id("...my_id...")
.name("...my_name...")
.path("...my_path...")
.build())
.protocols("grpc")
.route(GatewayPluginAiMcpOauth2RouteArgs.builder()
.id("...my_id...")
.build())
.service(GatewayPluginAiMcpOauth2ServiceArgs.builder()
.id("...my_id...")
.build())
.tags("...")
.updatedAt(4.0)
.build());
}
}
resources:
myGatewaypluginaimcpoauth2:
type: konnect:GatewayPluginAiMcpOauth2
name: my_gatewaypluginaimcpoauth2
properties:
condition: '...my_condition...'
config:
args:
key: value
authorizationServers:
- '...'
cacheIntrospection: true
claimToHeaders:
- claim: '...my_claim...'
header: '...my_header...'
clientAlg: HS384
clientAuth: none
clientId: '...my_client_id...'
clientJwk: '...my_client_jwk...'
clientSecret: '...my_client_secret...'
consumerBies:
- custom_id
consumerClaims:
- '...'
consumerGroupsClaims:
- '...'
consumerGroupsOptional: false
consumerOptional: false
credentialClaims:
- '...'
headers:
key: value
httpProxy: '...my_http_proxy...'
httpProxyAuthorization: '...my_http_proxy_authorization...'
httpVersion: 9.95
httpsProxy: '...my_https_proxy...'
httpsProxyAuthorization: '...my_https_proxy_authorization...'
insecureRelaxedAudienceValidation: false
introspectionEndpoint: '...my_introspection_endpoint...'
introspectionFormat: base64
jwksCacheTtl: 3600
jwksEndpoint: '...my_jwks_endpoint...'
jwtClaimsLeeway: 0
keepalive: true
maxRequestBodySize: 1.048576e+06
metadataCacheTtl: 3600
metadataDiscoveryEndpoint: '...my_metadata_discovery_endpoint...'
metadataDiscoveryRetry: 3
metadataEndpoint: '...my_metadata_endpoint...'
mtlsIntrospectionEndpoint: '...my_mtls_introspection_endpoint...'
noProxy: '...my_no_proxy...'
passthroughCredentials: false
resource: '...my_resource...'
scopesSupporteds:
- '...'
sslVerify: true
timeout: 10000
tlsClientAuthCert: '...my_tls_client_auth_cert...'
tlsClientAuthKey: '...my_tls_client_auth_key...'
tlsClientAuthSslVerify: true
tokenExchange:
cache:
enabled: true
ttl: 3600
clientAuth: client_secret_basic
clientId: '...my_client_id...'
clientSecret: '...my_client_secret...'
enabled: false
request:
actorToken: '...my_actor_token...'
actorTokenHeader: '...my_actor_token_header...'
actorTokenSource: none
actorTokenType: urn:ietf:params:oauth:token-type:access_token
audiences:
- '...'
requestedTokenType: urn:ietf:params:oauth:token-type:access_token
resource: '...my_resource...'
scopes:
- '...'
subjectTokenType: urn:ietf:params:oauth:token-type:access_token
tokenEndpoint: '...my_token_endpoint...'
upstreamHeaders:
- header: '...my_header...'
paths:
- '...'
controlPlaneId: 9524ec7d-36d9-465d-a8c5-83a3c9390458
createdAt: 6
enabled: true
gatewayPluginAiMcpOauth2Id: '...my_id...'
instanceName: '...my_instance_name...'
ordering:
after:
accesses:
- '...'
before:
accesses:
- '...'
partials:
- id: '...my_id...'
name: '...my_name...'
path: '...my_path...'
protocols:
- grpc
route:
id: '...my_id...'
service:
id: '...my_id...'
tags:
- '...'
updatedAt: 4
Create GatewayPluginAiMcpOauth2 Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new GatewayPluginAiMcpOauth2(name: string, args: GatewayPluginAiMcpOauth2Args, opts?: CustomResourceOptions);@overload
def GatewayPluginAiMcpOauth2(resource_name: str,
args: GatewayPluginAiMcpOauth2Args,
opts: Optional[ResourceOptions] = None)
@overload
def GatewayPluginAiMcpOauth2(resource_name: str,
opts: Optional[ResourceOptions] = None,
control_plane_id: Optional[str] = None,
config: Optional[GatewayPluginAiMcpOauth2ConfigArgs] = None,
instance_name: Optional[str] = None,
created_at: Optional[float] = None,
enabled: Optional[bool] = None,
gateway_plugin_ai_mcp_oauth2_id: Optional[str] = None,
condition: Optional[str] = None,
ordering: Optional[GatewayPluginAiMcpOauth2OrderingArgs] = None,
partials: Optional[Sequence[GatewayPluginAiMcpOauth2PartialArgs]] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginAiMcpOauth2RouteArgs] = None,
service: Optional[GatewayPluginAiMcpOauth2ServiceArgs] = None,
tags: Optional[Sequence[str]] = None,
updated_at: Optional[float] = None)func NewGatewayPluginAiMcpOauth2(ctx *Context, name string, args GatewayPluginAiMcpOauth2Args, opts ...ResourceOption) (*GatewayPluginAiMcpOauth2, error)public GatewayPluginAiMcpOauth2(string name, GatewayPluginAiMcpOauth2Args args, CustomResourceOptions? opts = null)
public GatewayPluginAiMcpOauth2(String name, GatewayPluginAiMcpOauth2Args args)
public GatewayPluginAiMcpOauth2(String name, GatewayPluginAiMcpOauth2Args args, CustomResourceOptions options)
type: konnect:GatewayPluginAiMcpOauth2
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args GatewayPluginAiMcpOauth2Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args GatewayPluginAiMcpOauth2Args
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GatewayPluginAiMcpOauth2Args
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GatewayPluginAiMcpOauth2Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args GatewayPluginAiMcpOauth2Args
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var gatewayPluginAiMcpOauth2Resource = new Konnect.GatewayPluginAiMcpOauth2("gatewayPluginAiMcpOauth2Resource", new()
{
ControlPlaneId = "string",
Config = new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigArgs
{
Resource = "string",
AuthorizationServers = new[]
{
"string",
},
IntrospectionEndpoint = "string",
JwksCacheTtl = 0,
ClientAlg = "string",
ClientAuth = "string",
ClientId = "string",
ClientJwk = "string",
ClientSecret = "string",
ConsumerBies = new[]
{
"string",
},
ConsumerClaims = new[]
{
"string",
},
ConsumerGroupsClaims = new[]
{
"string",
},
ConsumerGroupsOptional = false,
ConsumerOptional = false,
CredentialClaims = new[]
{
"string",
},
Headers =
{
{ "string", "string" },
},
HttpProxy = "string",
HttpProxyAuthorization = "string",
HttpVersion = 0,
IntrospectionFormat = "string",
HttpsProxyAuthorization = "string",
InsecureRelaxedAudienceValidation = false,
ClaimToHeaders = new[]
{
new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigClaimToHeaderArgs
{
Claim = "string",
Header = "string",
},
},
Args =
{
{ "string", "string" },
},
HttpsProxy = "string",
JwksEndpoint = "string",
JwtClaimsLeeway = 0,
Keepalive = false,
MaxRequestBodySize = 0,
MetadataCacheTtl = 0,
MetadataDiscoveryEndpoint = "string",
MetadataDiscoveryRetry = 0,
MetadataEndpoint = "string",
MtlsIntrospectionEndpoint = "string",
NoProxy = "string",
PassthroughCredentials = false,
CacheIntrospection = false,
ScopesSupporteds = new[]
{
"string",
},
SslVerify = false,
Timeout = 0,
TlsClientAuthCert = "string",
TlsClientAuthKey = "string",
TlsClientAuthSslVerify = false,
TokenExchange = new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigTokenExchangeArgs
{
TokenEndpoint = "string",
Cache = new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigTokenExchangeCacheArgs
{
Enabled = false,
Ttl = 0,
},
ClientAuth = "string",
ClientId = "string",
ClientSecret = "string",
Enabled = false,
Request = new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigTokenExchangeRequestArgs
{
ActorToken = "string",
ActorTokenHeader = "string",
ActorTokenSource = "string",
ActorTokenType = "string",
Audiences = new[]
{
"string",
},
RequestedTokenType = "string",
Resource = "string",
Scopes = new[]
{
"string",
},
SubjectTokenType = "string",
},
},
UpstreamHeaders = new[]
{
new Konnect.Inputs.GatewayPluginAiMcpOauth2ConfigUpstreamHeaderArgs
{
Header = "string",
Paths = new[]
{
"string",
},
},
},
},
InstanceName = "string",
CreatedAt = 0,
Enabled = false,
GatewayPluginAiMcpOauth2Id = "string",
Condition = "string",
Ordering = new Konnect.Inputs.GatewayPluginAiMcpOauth2OrderingArgs
{
After = new Konnect.Inputs.GatewayPluginAiMcpOauth2OrderingAfterArgs
{
Accesses = new[]
{
"string",
},
},
Before = new Konnect.Inputs.GatewayPluginAiMcpOauth2OrderingBeforeArgs
{
Accesses = new[]
{
"string",
},
},
},
Partials = new[]
{
new Konnect.Inputs.GatewayPluginAiMcpOauth2PartialArgs
{
Id = "string",
Name = "string",
Path = "string",
},
},
Protocols = new[]
{
"string",
},
Route = new Konnect.Inputs.GatewayPluginAiMcpOauth2RouteArgs
{
Id = "string",
},
Service = new Konnect.Inputs.GatewayPluginAiMcpOauth2ServiceArgs
{
Id = "string",
},
Tags = new[]
{
"string",
},
UpdatedAt = 0,
});
example, err := konnect.NewGatewayPluginAiMcpOauth2(ctx, "gatewayPluginAiMcpOauth2Resource", &konnect.GatewayPluginAiMcpOauth2Args{
ControlPlaneId: pulumi.String("string"),
Config: &konnect.GatewayPluginAiMcpOauth2ConfigArgs{
Resource: pulumi.String("string"),
AuthorizationServers: pulumi.StringArray{
pulumi.String("string"),
},
IntrospectionEndpoint: pulumi.String("string"),
JwksCacheTtl: pulumi.Float64(0),
ClientAlg: pulumi.String("string"),
ClientAuth: pulumi.String("string"),
ClientId: pulumi.String("string"),
ClientJwk: pulumi.String("string"),
ClientSecret: pulumi.String("string"),
ConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
ConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ConsumerGroupsClaims: pulumi.StringArray{
pulumi.String("string"),
},
ConsumerGroupsOptional: pulumi.Bool(false),
ConsumerOptional: pulumi.Bool(false),
CredentialClaims: pulumi.StringArray{
pulumi.String("string"),
},
Headers: pulumi.StringMap{
"string": pulumi.String("string"),
},
HttpProxy: pulumi.String("string"),
HttpProxyAuthorization: pulumi.String("string"),
HttpVersion: pulumi.Float64(0),
IntrospectionFormat: pulumi.String("string"),
HttpsProxyAuthorization: pulumi.String("string"),
InsecureRelaxedAudienceValidation: pulumi.Bool(false),
ClaimToHeaders: konnect.GatewayPluginAiMcpOauth2ConfigClaimToHeaderArray{
&konnect.GatewayPluginAiMcpOauth2ConfigClaimToHeaderArgs{
Claim: pulumi.String("string"),
Header: pulumi.String("string"),
},
},
Args: pulumi.StringMap{
"string": pulumi.String("string"),
},
HttpsProxy: pulumi.String("string"),
JwksEndpoint: pulumi.String("string"),
JwtClaimsLeeway: pulumi.Float64(0),
Keepalive: pulumi.Bool(false),
MaxRequestBodySize: pulumi.Float64(0),
MetadataCacheTtl: pulumi.Float64(0),
MetadataDiscoveryEndpoint: pulumi.String("string"),
MetadataDiscoveryRetry: pulumi.Float64(0),
MetadataEndpoint: pulumi.String("string"),
MtlsIntrospectionEndpoint: pulumi.String("string"),
NoProxy: pulumi.String("string"),
PassthroughCredentials: pulumi.Bool(false),
CacheIntrospection: pulumi.Bool(false),
ScopesSupporteds: pulumi.StringArray{
pulumi.String("string"),
},
SslVerify: pulumi.Bool(false),
Timeout: pulumi.Float64(0),
TlsClientAuthCert: pulumi.String("string"),
TlsClientAuthKey: pulumi.String("string"),
TlsClientAuthSslVerify: pulumi.Bool(false),
TokenExchange: &konnect.GatewayPluginAiMcpOauth2ConfigTokenExchangeArgs{
TokenEndpoint: pulumi.String("string"),
Cache: &konnect.GatewayPluginAiMcpOauth2ConfigTokenExchangeCacheArgs{
Enabled: pulumi.Bool(false),
Ttl: pulumi.Float64(0),
},
ClientAuth: pulumi.String("string"),
ClientId: pulumi.String("string"),
ClientSecret: pulumi.String("string"),
Enabled: pulumi.Bool(false),
Request: &konnect.GatewayPluginAiMcpOauth2ConfigTokenExchangeRequestArgs{
ActorToken: pulumi.String("string"),
ActorTokenHeader: pulumi.String("string"),
ActorTokenSource: pulumi.String("string"),
ActorTokenType: pulumi.String("string"),
Audiences: pulumi.StringArray{
pulumi.String("string"),
},
RequestedTokenType: pulumi.String("string"),
Resource: pulumi.String("string"),
Scopes: pulumi.StringArray{
pulumi.String("string"),
},
SubjectTokenType: pulumi.String("string"),
},
},
UpstreamHeaders: konnect.GatewayPluginAiMcpOauth2ConfigUpstreamHeaderArray{
&konnect.GatewayPluginAiMcpOauth2ConfigUpstreamHeaderArgs{
Header: pulumi.String("string"),
Paths: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
InstanceName: pulumi.String("string"),
CreatedAt: pulumi.Float64(0),
Enabled: pulumi.Bool(false),
GatewayPluginAiMcpOauth2Id: pulumi.String("string"),
Condition: pulumi.String("string"),
Ordering: &konnect.GatewayPluginAiMcpOauth2OrderingArgs{
After: &konnect.GatewayPluginAiMcpOauth2OrderingAfterArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
Before: &konnect.GatewayPluginAiMcpOauth2OrderingBeforeArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Partials: konnect.GatewayPluginAiMcpOauth2PartialArray{
&konnect.GatewayPluginAiMcpOauth2PartialArgs{
Id: pulumi.String("string"),
Name: pulumi.String("string"),
Path: pulumi.String("string"),
},
},
Protocols: pulumi.StringArray{
pulumi.String("string"),
},
Route: &konnect.GatewayPluginAiMcpOauth2RouteArgs{
Id: pulumi.String("string"),
},
Service: &konnect.GatewayPluginAiMcpOauth2ServiceArgs{
Id: pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
UpdatedAt: pulumi.Float64(0),
})
var gatewayPluginAiMcpOauth2Resource = new GatewayPluginAiMcpOauth2("gatewayPluginAiMcpOauth2Resource", GatewayPluginAiMcpOauth2Args.builder()
.controlPlaneId("string")
.config(GatewayPluginAiMcpOauth2ConfigArgs.builder()
.resource("string")
.authorizationServers("string")
.introspectionEndpoint("string")
.jwksCacheTtl(0.0)
.clientAlg("string")
.clientAuth("string")
.clientId("string")
.clientJwk("string")
.clientSecret("string")
.consumerBies("string")
.consumerClaims("string")
.consumerGroupsClaims("string")
.consumerGroupsOptional(false)
.consumerOptional(false)
.credentialClaims("string")
.headers(Map.of("string", "string"))
.httpProxy("string")
.httpProxyAuthorization("string")
.httpVersion(0.0)
.introspectionFormat("string")
.httpsProxyAuthorization("string")
.insecureRelaxedAudienceValidation(false)
.claimToHeaders(GatewayPluginAiMcpOauth2ConfigClaimToHeaderArgs.builder()
.claim("string")
.header("string")
.build())
.args(Map.of("string", "string"))
.httpsProxy("string")
.jwksEndpoint("string")
.jwtClaimsLeeway(0.0)
.keepalive(false)
.maxRequestBodySize(0.0)
.metadataCacheTtl(0.0)
.metadataDiscoveryEndpoint("string")
.metadataDiscoveryRetry(0.0)
.metadataEndpoint("string")
.mtlsIntrospectionEndpoint("string")
.noProxy("string")
.passthroughCredentials(false)
.cacheIntrospection(false)
.scopesSupporteds("string")
.sslVerify(false)
.timeout(0.0)
.tlsClientAuthCert("string")
.tlsClientAuthKey("string")
.tlsClientAuthSslVerify(false)
.tokenExchange(GatewayPluginAiMcpOauth2ConfigTokenExchangeArgs.builder()
.tokenEndpoint("string")
.cache(GatewayPluginAiMcpOauth2ConfigTokenExchangeCacheArgs.builder()
.enabled(false)
.ttl(0.0)
.build())
.clientAuth("string")
.clientId("string")
.clientSecret("string")
.enabled(false)
.request(GatewayPluginAiMcpOauth2ConfigTokenExchangeRequestArgs.builder()
.actorToken("string")
.actorTokenHeader("string")
.actorTokenSource("string")
.actorTokenType("string")
.audiences("string")
.requestedTokenType("string")
.resource("string")
.scopes("string")
.subjectTokenType("string")
.build())
.build())
.upstreamHeaders(GatewayPluginAiMcpOauth2ConfigUpstreamHeaderArgs.builder()
.header("string")
.paths("string")
.build())
.build())
.instanceName("string")
.createdAt(0.0)
.enabled(false)
.gatewayPluginAiMcpOauth2Id("string")
.condition("string")
.ordering(GatewayPluginAiMcpOauth2OrderingArgs.builder()
.after(GatewayPluginAiMcpOauth2OrderingAfterArgs.builder()
.accesses("string")
.build())
.before(GatewayPluginAiMcpOauth2OrderingBeforeArgs.builder()
.accesses("string")
.build())
.build())
.partials(GatewayPluginAiMcpOauth2PartialArgs.builder()
.id("string")
.name("string")
.path("string")
.build())
.protocols("string")
.route(GatewayPluginAiMcpOauth2RouteArgs.builder()
.id("string")
.build())
.service(GatewayPluginAiMcpOauth2ServiceArgs.builder()
.id("string")
.build())
.tags("string")
.updatedAt(0.0)
.build());
gateway_plugin_ai_mcp_oauth2_resource = konnect.GatewayPluginAiMcpOauth2("gatewayPluginAiMcpOauth2Resource",
control_plane_id="string",
config={
"resource": "string",
"authorization_servers": ["string"],
"introspection_endpoint": "string",
"jwks_cache_ttl": float(0),
"client_alg": "string",
"client_auth": "string",
"client_id": "string",
"client_jwk": "string",
"client_secret": "string",
"consumer_bies": ["string"],
"consumer_claims": ["string"],
"consumer_groups_claims": ["string"],
"consumer_groups_optional": False,
"consumer_optional": False,
"credential_claims": ["string"],
"headers": {
"string": "string",
},
"http_proxy": "string",
"http_proxy_authorization": "string",
"http_version": float(0),
"introspection_format": "string",
"https_proxy_authorization": "string",
"insecure_relaxed_audience_validation": False,
"claim_to_headers": [{
"claim": "string",
"header": "string",
}],
"args": {
"string": "string",
},
"https_proxy": "string",
"jwks_endpoint": "string",
"jwt_claims_leeway": float(0),
"keepalive": False,
"max_request_body_size": float(0),
"metadata_cache_ttl": float(0),
"metadata_discovery_endpoint": "string",
"metadata_discovery_retry": float(0),
"metadata_endpoint": "string",
"mtls_introspection_endpoint": "string",
"no_proxy": "string",
"passthrough_credentials": False,
"cache_introspection": False,
"scopes_supporteds": ["string"],
"ssl_verify": False,
"timeout": float(0),
"tls_client_auth_cert": "string",
"tls_client_auth_key": "string",
"tls_client_auth_ssl_verify": False,
"token_exchange": {
"token_endpoint": "string",
"cache": {
"enabled": False,
"ttl": float(0),
},
"client_auth": "string",
"client_id": "string",
"client_secret": "string",
"enabled": False,
"request": {
"actor_token": "string",
"actor_token_header": "string",
"actor_token_source": "string",
"actor_token_type": "string",
"audiences": ["string"],
"requested_token_type": "string",
"resource": "string",
"scopes": ["string"],
"subject_token_type": "string",
},
},
"upstream_headers": [{
"header": "string",
"paths": ["string"],
}],
},
instance_name="string",
created_at=float(0),
enabled=False,
gateway_plugin_ai_mcp_oauth2_id="string",
condition="string",
ordering={
"after": {
"accesses": ["string"],
},
"before": {
"accesses": ["string"],
},
},
partials=[{
"id": "string",
"name": "string",
"path": "string",
}],
protocols=["string"],
route={
"id": "string",
},
service={
"id": "string",
},
tags=["string"],
updated_at=float(0))
const gatewayPluginAiMcpOauth2Resource = new konnect.GatewayPluginAiMcpOauth2("gatewayPluginAiMcpOauth2Resource", {
controlPlaneId: "string",
config: {
resource: "string",
authorizationServers: ["string"],
introspectionEndpoint: "string",
jwksCacheTtl: 0,
clientAlg: "string",
clientAuth: "string",
clientId: "string",
clientJwk: "string",
clientSecret: "string",
consumerBies: ["string"],
consumerClaims: ["string"],
consumerGroupsClaims: ["string"],
consumerGroupsOptional: false,
consumerOptional: false,
credentialClaims: ["string"],
headers: {
string: "string",
},
httpProxy: "string",
httpProxyAuthorization: "string",
httpVersion: 0,
introspectionFormat: "string",
httpsProxyAuthorization: "string",
insecureRelaxedAudienceValidation: false,
claimToHeaders: [{
claim: "string",
header: "string",
}],
args: {
string: "string",
},
httpsProxy: "string",
jwksEndpoint: "string",
jwtClaimsLeeway: 0,
keepalive: false,
maxRequestBodySize: 0,
metadataCacheTtl: 0,
metadataDiscoveryEndpoint: "string",
metadataDiscoveryRetry: 0,
metadataEndpoint: "string",
mtlsIntrospectionEndpoint: "string",
noProxy: "string",
passthroughCredentials: false,
cacheIntrospection: false,
scopesSupporteds: ["string"],
sslVerify: false,
timeout: 0,
tlsClientAuthCert: "string",
tlsClientAuthKey: "string",
tlsClientAuthSslVerify: false,
tokenExchange: {
tokenEndpoint: "string",
cache: {
enabled: false,
ttl: 0,
},
clientAuth: "string",
clientId: "string",
clientSecret: "string",
enabled: false,
request: {
actorToken: "string",
actorTokenHeader: "string",
actorTokenSource: "string",
actorTokenType: "string",
audiences: ["string"],
requestedTokenType: "string",
resource: "string",
scopes: ["string"],
subjectTokenType: "string",
},
},
upstreamHeaders: [{
header: "string",
paths: ["string"],
}],
},
instanceName: "string",
createdAt: 0,
enabled: false,
gatewayPluginAiMcpOauth2Id: "string",
condition: "string",
ordering: {
after: {
accesses: ["string"],
},
before: {
accesses: ["string"],
},
},
partials: [{
id: "string",
name: "string",
path: "string",
}],
protocols: ["string"],
route: {
id: "string",
},
service: {
id: "string",
},
tags: ["string"],
updatedAt: 0,
});
type: konnect:GatewayPluginAiMcpOauth2
properties:
condition: string
config:
args:
string: string
authorizationServers:
- string
cacheIntrospection: false
claimToHeaders:
- claim: string
header: string
clientAlg: string
clientAuth: string
clientId: string
clientJwk: string
clientSecret: string
consumerBies:
- string
consumerClaims:
- string
consumerGroupsClaims:
- string
consumerGroupsOptional: false
consumerOptional: false
credentialClaims:
- string
headers:
string: string
httpProxy: string
httpProxyAuthorization: string
httpVersion: 0
httpsProxy: string
httpsProxyAuthorization: string
insecureRelaxedAudienceValidation: false
introspectionEndpoint: string
introspectionFormat: string
jwksCacheTtl: 0
jwksEndpoint: string
jwtClaimsLeeway: 0
keepalive: false
maxRequestBodySize: 0
metadataCacheTtl: 0
metadataDiscoveryEndpoint: string
metadataDiscoveryRetry: 0
metadataEndpoint: string
mtlsIntrospectionEndpoint: string
noProxy: string
passthroughCredentials: false
resource: string
scopesSupporteds:
- string
sslVerify: false
timeout: 0
tlsClientAuthCert: string
tlsClientAuthKey: string
tlsClientAuthSslVerify: false
tokenExchange:
cache:
enabled: false
ttl: 0
clientAuth: string
clientId: string
clientSecret: string
enabled: false
request:
actorToken: string
actorTokenHeader: string
actorTokenSource: string
actorTokenType: string
audiences:
- string
requestedTokenType: string
resource: string
scopes:
- string
subjectTokenType: string
tokenEndpoint: string
upstreamHeaders:
- header: string
paths:
- string
controlPlaneId: string
createdAt: 0
enabled: false
gatewayPluginAiMcpOauth2Id: string
instanceName: string
ordering:
after:
accesses:
- string
before:
accesses:
- string
partials:
- id: string
name: string
path: string
protocols:
- string
route:
id: string
service:
id: string
tags:
- string
updatedAt: 0
GatewayPluginAiMcpOauth2 Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The GatewayPluginAiMcpOauth2 resource accepts the following input properties:
- Config
Gateway
Plugin Ai Mcp Oauth2Config - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Condition string
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - Created
At double - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied. Default: true
- Gateway
Plugin stringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- Instance
Name string - A unique string representing a UTF-8 encoded name.
- Ordering
Gateway
Plugin Ai Mcp Oauth2Ordering - Partials
List<Gateway
Plugin Ai Mcp Oauth2Partial> - A list of partials to be used by the plugin.
- Protocols List<string>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- Route
Gateway
Plugin Ai Mcp Oauth2Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Ai Mcp Oauth2Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At double - Unix epoch when the resource was last updated.
- Config
Gateway
Plugin Ai Mcp Oauth2Config Args - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Condition string
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - Created
At float64 - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied. Default: true
- Gateway
Plugin stringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- Instance
Name string - A unique string representing a UTF-8 encoded name.
- Ordering
Gateway
Plugin Ai Mcp Oauth2Ordering Args - Partials
[]Gateway
Plugin Ai Mcp Oauth2Partial Args - A list of partials to be used by the plugin.
- Protocols []string
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- Route
Gateway
Plugin Ai Mcp Oauth2Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Ai Mcp Oauth2Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At float64 - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Ai Mcp Oauth2Config - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- condition String
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - created
At Double - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin StringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- instance
Name String - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Ai Mcp Oauth2Ordering - partials
List<Gateway
Plugin Ai Mcp Oauth2Partial> - A list of partials to be used by the plugin.
- protocols List<String>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Ai Mcp Oauth2Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Ai Mcp Oauth2Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Double - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Ai Mcp Oauth2Config - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- condition string
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - created
At number - Unix epoch when the resource was created.
- enabled boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin stringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- instance
Name string - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Ai Mcp Oauth2Ordering - partials
Gateway
Plugin Ai Mcp Oauth2Partial[] - A list of partials to be used by the plugin.
- protocols string[]
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Ai Mcp Oauth2Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Ai Mcp Oauth2Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At number - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Ai Mcp Oauth2Config Args - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- control_
plane_ strid - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- condition str
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - created_
at float - Unix epoch when the resource was created.
- enabled bool
- Whether the plugin is applied. Default: true
- gateway_
plugin_ strai_ mcp_ oauth2_ id - A string representing a UUID (universally unique identifier).
- instance_
name str - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Ai Mcp Oauth2Ordering Args - partials
Sequence[Gateway
Plugin Ai Mcp Oauth2Partial Args] - A list of partials to be used by the plugin.
- protocols Sequence[str]
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Ai Mcp Oauth2Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Ai Mcp Oauth2Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated_
at float - Unix epoch when the resource was last updated.
- config Property Map
- The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- condition String
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - created
At Number - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin StringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- instance
Name String - A unique string representing a UTF-8 encoded name.
- ordering Property Map
- partials List<Property Map>
- A list of partials to be used by the plugin.
- protocols List<String>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Number - Unix epoch when the resource was last updated.
Outputs
All input properties are implicitly available as output properties. Additionally, the GatewayPluginAiMcpOauth2 resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing GatewayPluginAiMcpOauth2 Resource
Get an existing GatewayPluginAiMcpOauth2 resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GatewayPluginAiMcpOauth2State, opts?: CustomResourceOptions): GatewayPluginAiMcpOauth2@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
condition: Optional[str] = None,
config: Optional[GatewayPluginAiMcpOauth2ConfigArgs] = None,
control_plane_id: Optional[str] = None,
created_at: Optional[float] = None,
enabled: Optional[bool] = None,
gateway_plugin_ai_mcp_oauth2_id: Optional[str] = None,
instance_name: Optional[str] = None,
ordering: Optional[GatewayPluginAiMcpOauth2OrderingArgs] = None,
partials: Optional[Sequence[GatewayPluginAiMcpOauth2PartialArgs]] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginAiMcpOauth2RouteArgs] = None,
service: Optional[GatewayPluginAiMcpOauth2ServiceArgs] = None,
tags: Optional[Sequence[str]] = None,
updated_at: Optional[float] = None) -> GatewayPluginAiMcpOauth2func GetGatewayPluginAiMcpOauth2(ctx *Context, name string, id IDInput, state *GatewayPluginAiMcpOauth2State, opts ...ResourceOption) (*GatewayPluginAiMcpOauth2, error)public static GatewayPluginAiMcpOauth2 Get(string name, Input<string> id, GatewayPluginAiMcpOauth2State? state, CustomResourceOptions? opts = null)public static GatewayPluginAiMcpOauth2 get(String name, Output<String> id, GatewayPluginAiMcpOauth2State state, CustomResourceOptions options)resources: _: type: konnect:GatewayPluginAiMcpOauth2 get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Condition string
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - Config
Gateway
Plugin Ai Mcp Oauth2Config - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At double - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied. Default: true
- Gateway
Plugin stringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- Instance
Name string - A unique string representing a UTF-8 encoded name.
- Ordering
Gateway
Plugin Ai Mcp Oauth2Ordering - Partials
List<Gateway
Plugin Ai Mcp Oauth2Partial> - A list of partials to be used by the plugin.
- Protocols List<string>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- Route
Gateway
Plugin Ai Mcp Oauth2Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Ai Mcp Oauth2Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At double - Unix epoch when the resource was last updated.
- Condition string
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - Config
Gateway
Plugin Ai Mcp Oauth2Config Args - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At float64 - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied. Default: true
- Gateway
Plugin stringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- Instance
Name string - A unique string representing a UTF-8 encoded name.
- Ordering
Gateway
Plugin Ai Mcp Oauth2Ordering Args - Partials
[]Gateway
Plugin Ai Mcp Oauth2Partial Args - A list of partials to be used by the plugin.
- Protocols []string
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- Route
Gateway
Plugin Ai Mcp Oauth2Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Ai Mcp Oauth2Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At float64 - Unix epoch when the resource was last updated.
- condition String
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - config
Gateway
Plugin Ai Mcp Oauth2Config - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Double - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin StringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- instance
Name String - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Ai Mcp Oauth2Ordering - partials
List<Gateway
Plugin Ai Mcp Oauth2Partial> - A list of partials to be used by the plugin.
- protocols List<String>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Ai Mcp Oauth2Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Ai Mcp Oauth2Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Double - Unix epoch when the resource was last updated.
- condition string
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - config
Gateway
Plugin Ai Mcp Oauth2Config - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At number - Unix epoch when the resource was created.
- enabled boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin stringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- instance
Name string - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Ai Mcp Oauth2Ordering - partials
Gateway
Plugin Ai Mcp Oauth2Partial[] - A list of partials to be used by the plugin.
- protocols string[]
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Ai Mcp Oauth2Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Ai Mcp Oauth2Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At number - Unix epoch when the resource was last updated.
- condition str
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - config
Gateway
Plugin Ai Mcp Oauth2Config Args - The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- control_
plane_ strid - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created_
at float - Unix epoch when the resource was created.
- enabled bool
- Whether the plugin is applied. Default: true
- gateway_
plugin_ strai_ mcp_ oauth2_ id - A string representing a UUID (universally unique identifier).
- instance_
name str - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Ai Mcp Oauth2Ordering Args - partials
Sequence[Gateway
Plugin Ai Mcp Oauth2Partial Args] - A list of partials to be used by the plugin.
- protocols Sequence[str]
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Ai Mcp Oauth2Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Ai Mcp Oauth2Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated_
at float - Unix epoch when the resource was last updated.
- condition String
- An expression used for conditional control over plugin execution. If the expression evaluates to
trueduring the request flow, the plugin is executed; otherwise, it is skipped. - config Property Map
- The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Number - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin StringAi Mcp Oauth2Id - A string representing a UUID (universally unique identifier).
- instance
Name String - A unique string representing a UTF-8 encoded name.
- ordering Property Map
- partials List<Property Map>
- A list of partials to be used by the plugin.
- protocols List<String>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Number - Unix epoch when the resource was last updated.
Supporting Types
GatewayPluginAiMcpOauth2Config, GatewayPluginAiMcpOauth2ConfigArgs
- List<string>
- Resource string
- The resource identifier.
- Args Dictionary<string, string>
- Additional arguments to send in the POST body.
- Cache
Introspection bool - If enabled, the plugin will cache the introspection response for the access token. This can improve performance by reducing the number of introspection requests to the authorization server. Default: true
- Claim
To List<GatewayHeaders Plugin Ai Mcp Oauth2Config Claim To Header> - Map top-level token claims to upstream headers. Mutually exclusive with upstream*headers.
- Client
Alg string - The client JWT signing algorithm. possible known values include one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"]
- Client
Auth string - The client authentication method. possible known values include one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"]
- Client
Id string - The client ID for authentication.
- Client
Jwk string - The client JWK for privatekeyjwt authentication.
- Client
Secret string - The client secret for authentication.
- Consumer
Bies List<string> - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. Default: ["custom_id","username"] - Consumer
Claims List<string> - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Consumer
Groups List<string>Claims - The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Consumer
Groups boolOptional - Do not terminate the request if consumer groups mapping fails. Default: false
- Consumer
Optional bool - Do not terminate the request if consumer mapping fails. Default: false
- Credential
Claims List<string> - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload. Default: ["sub"]
- Headers Dictionary<string, string>
- Additional headers for the introspection request.
- Http
Proxy string - HTTP proxy to use.
- string
- HTTP proxy authorization header.
- Http
Version double - The HTTP version used for requests.
- Https
Proxy string - HTTPS proxy to use.
- string
- HTTPS proxy authorization header.
- Insecure
Relaxed boolAudience Validation - If enabled, the plugin will not validate the audience of the access token. Disable it if the authorization server does not correctly set the audience claim according to RFC 8707 and MCP specification. Default: false
- Introspection
Endpoint string - The Token Introspection Endpoint. If not provided, the plugin will attempt to use JWKS to verify the token. If the token is opaque, this field must be provided.
- Introspection
Format string - Controls introspection response format. possible known values include one of ["base64", "base64url", "string"]
- Jwks
Cache doubleTtl - The cache TTL in seconds for JWKS. Default: 3600
- Jwks
Endpoint string - The JWKS endpoint URL for fetching the authorization server's public keys. If not provided, the plugin will attempt to discover it from the authorization server metadata.
- Jwt
Claims doubleLeeway - The leeway in seconds for JWT claims validation (exp, nbf). This allows tokens that are slightly expired or not yet valid due to clock skew. Default: 0
- Keepalive bool
- Enable HTTP keepalive for requests. Default: true
- Max
Request doubleBody Size - max allowed body size allowed to be handled as MCP request. 0 means unlimited, but the size of this body will still be limited by Nginx's clientmaxbody_size. Default: 1048576
- Metadata
Cache doubleTtl - The cache TTL in seconds for discovered authorization server metadata. Default: 3600
- Metadata
Discovery stringEndpoint - Custom OAuth 2.0 authorization server metadata discovery URL. If provided, the plugin will use this URL directly instead of trying standard well-known discovery paths. The custom endpoint URL should end with either '/.well-known/openid-configuration' or '/.well-known/oauth-authorization-server'.
- Metadata
Discovery doubleRetry - The number of retry attempts for metadata discovery requests per URL. Default: 3
- Metadata
Endpoint string - The path for OAuth 2.0 Protected Resource Metadata. Default to $resource/.well-known/oauth-protected-resource. For example, if the configured resource is https://api.example.com/mcp, the metadata endpoint is /mcp/.well-known/oauth-protected-resource.
- Mtls
Introspection stringEndpoint - The mTLS alias for the introspection endpoint.
- No
Proxy string - Comma-separated list of hosts to exclude from proxy.
- Passthrough
Credentials bool - Keep the credentials used for authentication in the request. If multiple credentials are sent with the same request, the plugin will keep those that were used for successful authentication. Default: false
- Scopes
Supporteds List<string> - Ssl
Verify bool - Verify the SSL certificate. Default: true
- Timeout double
- Network I/O timeout in milliseconds. Default: 10000
- Tls
Client stringAuth Cert - PEM-encoded client certificate for mTLS.
- Tls
Client stringAuth Key - PEM-encoded private key for mTLS.
- Tls
Client boolAuth Ssl Verify - Verify server certificate in mTLS. Default: true
- Token
Exchange GatewayPlugin Ai Mcp Oauth2Config Token Exchange - Configuration details about token exchange that should happen before reaching upstream MCP server
- Upstream
Headers List<GatewayPlugin Ai Mcp Oauth2Config Upstream Header> - Map token claims to upstream headers using path-based access. Each entry specifies a header name and a path (array of strings) to traverse the token claims. Mutually exclusive with claimtoheader.
- []string
- Resource string
- The resource identifier.
- Args map[string]string
- Additional arguments to send in the POST body.
- Cache
Introspection bool - If enabled, the plugin will cache the introspection response for the access token. This can improve performance by reducing the number of introspection requests to the authorization server. Default: true
- Claim
To []GatewayHeaders Plugin Ai Mcp Oauth2Config Claim To Header - Map top-level token claims to upstream headers. Mutually exclusive with upstream*headers.
- Client
Alg string - The client JWT signing algorithm. possible known values include one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"]
- Client
Auth string - The client authentication method. possible known values include one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"]
- Client
Id string - The client ID for authentication.
- Client
Jwk string - The client JWK for privatekeyjwt authentication.
- Client
Secret string - The client secret for authentication.
- Consumer
Bies []string - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. Default: ["custom_id","username"] - Consumer
Claims []string - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Consumer
Groups []stringClaims - The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Consumer
Groups boolOptional - Do not terminate the request if consumer groups mapping fails. Default: false
- Consumer
Optional bool - Do not terminate the request if consumer mapping fails. Default: false
- Credential
Claims []string - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload. Default: ["sub"]
- Headers map[string]string
- Additional headers for the introspection request.
- Http
Proxy string - HTTP proxy to use.
- string
- HTTP proxy authorization header.
- Http
Version float64 - The HTTP version used for requests.
- Https
Proxy string - HTTPS proxy to use.
- string
- HTTPS proxy authorization header.
- Insecure
Relaxed boolAudience Validation - If enabled, the plugin will not validate the audience of the access token. Disable it if the authorization server does not correctly set the audience claim according to RFC 8707 and MCP specification. Default: false
- Introspection
Endpoint string - The Token Introspection Endpoint. If not provided, the plugin will attempt to use JWKS to verify the token. If the token is opaque, this field must be provided.
- Introspection
Format string - Controls introspection response format. possible known values include one of ["base64", "base64url", "string"]
- Jwks
Cache float64Ttl - The cache TTL in seconds for JWKS. Default: 3600
- Jwks
Endpoint string - The JWKS endpoint URL for fetching the authorization server's public keys. If not provided, the plugin will attempt to discover it from the authorization server metadata.
- Jwt
Claims float64Leeway - The leeway in seconds for JWT claims validation (exp, nbf). This allows tokens that are slightly expired or not yet valid due to clock skew. Default: 0
- Keepalive bool
- Enable HTTP keepalive for requests. Default: true
- Max
Request float64Body Size - max allowed body size allowed to be handled as MCP request. 0 means unlimited, but the size of this body will still be limited by Nginx's clientmaxbody_size. Default: 1048576
- Metadata
Cache float64Ttl - The cache TTL in seconds for discovered authorization server metadata. Default: 3600
- Metadata
Discovery stringEndpoint - Custom OAuth 2.0 authorization server metadata discovery URL. If provided, the plugin will use this URL directly instead of trying standard well-known discovery paths. The custom endpoint URL should end with either '/.well-known/openid-configuration' or '/.well-known/oauth-authorization-server'.
- Metadata
Discovery float64Retry - The number of retry attempts for metadata discovery requests per URL. Default: 3
- Metadata
Endpoint string - The path for OAuth 2.0 Protected Resource Metadata. Default to $resource/.well-known/oauth-protected-resource. For example, if the configured resource is https://api.example.com/mcp, the metadata endpoint is /mcp/.well-known/oauth-protected-resource.
- Mtls
Introspection stringEndpoint - The mTLS alias for the introspection endpoint.
- No
Proxy string - Comma-separated list of hosts to exclude from proxy.
- Passthrough
Credentials bool - Keep the credentials used for authentication in the request. If multiple credentials are sent with the same request, the plugin will keep those that were used for successful authentication. Default: false
- Scopes
Supporteds []string - Ssl
Verify bool - Verify the SSL certificate. Default: true
- Timeout float64
- Network I/O timeout in milliseconds. Default: 10000
- Tls
Client stringAuth Cert - PEM-encoded client certificate for mTLS.
- Tls
Client stringAuth Key - PEM-encoded private key for mTLS.
- Tls
Client boolAuth Ssl Verify - Verify server certificate in mTLS. Default: true
- Token
Exchange GatewayPlugin Ai Mcp Oauth2Config Token Exchange - Configuration details about token exchange that should happen before reaching upstream MCP server
- Upstream
Headers []GatewayPlugin Ai Mcp Oauth2Config Upstream Header - Map token claims to upstream headers using path-based access. Each entry specifies a header name and a path (array of strings) to traverse the token claims. Mutually exclusive with claimtoheader.
- List<String>
- resource String
- The resource identifier.
- args Map<String,String>
- Additional arguments to send in the POST body.
- cache
Introspection Boolean - If enabled, the plugin will cache the introspection response for the access token. This can improve performance by reducing the number of introspection requests to the authorization server. Default: true
- claim
To List<GatewayHeaders Plugin Ai Mcp Oauth2Config Claim To Header> - Map top-level token claims to upstream headers. Mutually exclusive with upstream*headers.
- client
Alg String - The client JWT signing algorithm. possible known values include one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"]
- client
Auth String - The client authentication method. possible known values include one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"]
- client
Id String - The client ID for authentication.
- client
Jwk String - The client JWK for privatekeyjwt authentication.
- client
Secret String - The client secret for authentication.
- consumer
Bies List<String> - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. Default: ["custom_id","username"] - consumer
Claims List<String> - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer
Groups List<String>Claims - The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer
Groups BooleanOptional - Do not terminate the request if consumer groups mapping fails. Default: false
- consumer
Optional Boolean - Do not terminate the request if consumer mapping fails. Default: false
- credential
Claims List<String> - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload. Default: ["sub"]
- headers Map<String,String>
- Additional headers for the introspection request.
- http
Proxy String - HTTP proxy to use.
- String
- HTTP proxy authorization header.
- http
Version Double - The HTTP version used for requests.
- https
Proxy String - HTTPS proxy to use.
- String
- HTTPS proxy authorization header.
- insecure
Relaxed BooleanAudience Validation - If enabled, the plugin will not validate the audience of the access token. Disable it if the authorization server does not correctly set the audience claim according to RFC 8707 and MCP specification. Default: false
- introspection
Endpoint String - The Token Introspection Endpoint. If not provided, the plugin will attempt to use JWKS to verify the token. If the token is opaque, this field must be provided.
- introspection
Format String - Controls introspection response format. possible known values include one of ["base64", "base64url", "string"]
- jwks
Cache DoubleTtl - The cache TTL in seconds for JWKS. Default: 3600
- jwks
Endpoint String - The JWKS endpoint URL for fetching the authorization server's public keys. If not provided, the plugin will attempt to discover it from the authorization server metadata.
- jwt
Claims DoubleLeeway - The leeway in seconds for JWT claims validation (exp, nbf). This allows tokens that are slightly expired or not yet valid due to clock skew. Default: 0
- keepalive Boolean
- Enable HTTP keepalive for requests. Default: true
- max
Request DoubleBody Size - max allowed body size allowed to be handled as MCP request. 0 means unlimited, but the size of this body will still be limited by Nginx's clientmaxbody_size. Default: 1048576
- metadata
Cache DoubleTtl - The cache TTL in seconds for discovered authorization server metadata. Default: 3600
- metadata
Discovery StringEndpoint - Custom OAuth 2.0 authorization server metadata discovery URL. If provided, the plugin will use this URL directly instead of trying standard well-known discovery paths. The custom endpoint URL should end with either '/.well-known/openid-configuration' or '/.well-known/oauth-authorization-server'.
- metadata
Discovery DoubleRetry - The number of retry attempts for metadata discovery requests per URL. Default: 3
- metadata
Endpoint String - The path for OAuth 2.0 Protected Resource Metadata. Default to $resource/.well-known/oauth-protected-resource. For example, if the configured resource is https://api.example.com/mcp, the metadata endpoint is /mcp/.well-known/oauth-protected-resource.
- mtls
Introspection StringEndpoint - The mTLS alias for the introspection endpoint.
- no
Proxy String - Comma-separated list of hosts to exclude from proxy.
- passthrough
Credentials Boolean - Keep the credentials used for authentication in the request. If multiple credentials are sent with the same request, the plugin will keep those that were used for successful authentication. Default: false
- scopes
Supporteds List<String> - ssl
Verify Boolean - Verify the SSL certificate. Default: true
- timeout Double
- Network I/O timeout in milliseconds. Default: 10000
- tls
Client StringAuth Cert - PEM-encoded client certificate for mTLS.
- tls
Client StringAuth Key - PEM-encoded private key for mTLS.
- tls
Client BooleanAuth Ssl Verify - Verify server certificate in mTLS. Default: true
- token
Exchange GatewayPlugin Ai Mcp Oauth2Config Token Exchange - Configuration details about token exchange that should happen before reaching upstream MCP server
- upstream
Headers List<GatewayPlugin Ai Mcp Oauth2Config Upstream Header> - Map token claims to upstream headers using path-based access. Each entry specifies a header name and a path (array of strings) to traverse the token claims. Mutually exclusive with claimtoheader.
- string[]
- resource string
- The resource identifier.
- args {[key: string]: string}
- Additional arguments to send in the POST body.
- cache
Introspection boolean - If enabled, the plugin will cache the introspection response for the access token. This can improve performance by reducing the number of introspection requests to the authorization server. Default: true
- claim
To GatewayHeaders Plugin Ai Mcp Oauth2Config Claim To Header[] - Map top-level token claims to upstream headers. Mutually exclusive with upstream*headers.
- client
Alg string - The client JWT signing algorithm. possible known values include one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"]
- client
Auth string - The client authentication method. possible known values include one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"]
- client
Id string - The client ID for authentication.
- client
Jwk string - The client JWK for privatekeyjwt authentication.
- client
Secret string - The client secret for authentication.
- consumer
Bies string[] - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. Default: ["custom_id","username"] - consumer
Claims string[] - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer
Groups string[]Claims - The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer
Groups booleanOptional - Do not terminate the request if consumer groups mapping fails. Default: false
- consumer
Optional boolean - Do not terminate the request if consumer mapping fails. Default: false
- credential
Claims string[] - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload. Default: ["sub"]
- headers {[key: string]: string}
- Additional headers for the introspection request.
- http
Proxy string - HTTP proxy to use.
- string
- HTTP proxy authorization header.
- http
Version number - The HTTP version used for requests.
- https
Proxy string - HTTPS proxy to use.
- string
- HTTPS proxy authorization header.
- insecure
Relaxed booleanAudience Validation - If enabled, the plugin will not validate the audience of the access token. Disable it if the authorization server does not correctly set the audience claim according to RFC 8707 and MCP specification. Default: false
- introspection
Endpoint string - The Token Introspection Endpoint. If not provided, the plugin will attempt to use JWKS to verify the token. If the token is opaque, this field must be provided.
- introspection
Format string - Controls introspection response format. possible known values include one of ["base64", "base64url", "string"]
- jwks
Cache numberTtl - The cache TTL in seconds for JWKS. Default: 3600
- jwks
Endpoint string - The JWKS endpoint URL for fetching the authorization server's public keys. If not provided, the plugin will attempt to discover it from the authorization server metadata.
- jwt
Claims numberLeeway - The leeway in seconds for JWT claims validation (exp, nbf). This allows tokens that are slightly expired or not yet valid due to clock skew. Default: 0
- keepalive boolean
- Enable HTTP keepalive for requests. Default: true
- max
Request numberBody Size - max allowed body size allowed to be handled as MCP request. 0 means unlimited, but the size of this body will still be limited by Nginx's clientmaxbody_size. Default: 1048576
- metadata
Cache numberTtl - The cache TTL in seconds for discovered authorization server metadata. Default: 3600
- metadata
Discovery stringEndpoint - Custom OAuth 2.0 authorization server metadata discovery URL. If provided, the plugin will use this URL directly instead of trying standard well-known discovery paths. The custom endpoint URL should end with either '/.well-known/openid-configuration' or '/.well-known/oauth-authorization-server'.
- metadata
Discovery numberRetry - The number of retry attempts for metadata discovery requests per URL. Default: 3
- metadata
Endpoint string - The path for OAuth 2.0 Protected Resource Metadata. Default to $resource/.well-known/oauth-protected-resource. For example, if the configured resource is https://api.example.com/mcp, the metadata endpoint is /mcp/.well-known/oauth-protected-resource.
- mtls
Introspection stringEndpoint - The mTLS alias for the introspection endpoint.
- no
Proxy string - Comma-separated list of hosts to exclude from proxy.
- passthrough
Credentials boolean - Keep the credentials used for authentication in the request. If multiple credentials are sent with the same request, the plugin will keep those that were used for successful authentication. Default: false
- scopes
Supporteds string[] - ssl
Verify boolean - Verify the SSL certificate. Default: true
- timeout number
- Network I/O timeout in milliseconds. Default: 10000
- tls
Client stringAuth Cert - PEM-encoded client certificate for mTLS.
- tls
Client stringAuth Key - PEM-encoded private key for mTLS.
- tls
Client booleanAuth Ssl Verify - Verify server certificate in mTLS. Default: true
- token
Exchange GatewayPlugin Ai Mcp Oauth2Config Token Exchange - Configuration details about token exchange that should happen before reaching upstream MCP server
- upstream
Headers GatewayPlugin Ai Mcp Oauth2Config Upstream Header[] - Map token claims to upstream headers using path-based access. Each entry specifies a header name and a path (array of strings) to traverse the token claims. Mutually exclusive with claimtoheader.
- Sequence[str]
- resource str
- The resource identifier.
- args Mapping[str, str]
- Additional arguments to send in the POST body.
- cache_
introspection bool - If enabled, the plugin will cache the introspection response for the access token. This can improve performance by reducing the number of introspection requests to the authorization server. Default: true
- claim_
to_ Sequence[Gatewayheaders Plugin Ai Mcp Oauth2Config Claim To Header] - Map top-level token claims to upstream headers. Mutually exclusive with upstream*headers.
- client_
alg str - The client JWT signing algorithm. possible known values include one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"]
- client_
auth str - The client authentication method. possible known values include one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"]
- client_
id str - The client ID for authentication.
- client_
jwk str - The client JWK for privatekeyjwt authentication.
- client_
secret str - The client secret for authentication.
- consumer_
bies Sequence[str] - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. Default: ["custom_id","username"] - consumer_
claims Sequence[str] - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer_
groups_ Sequence[str]claims - The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer_
groups_ booloptional - Do not terminate the request if consumer groups mapping fails. Default: false
- consumer_
optional bool - Do not terminate the request if consumer mapping fails. Default: false
- credential_
claims Sequence[str] - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload. Default: ["sub"]
- headers Mapping[str, str]
- Additional headers for the introspection request.
- http_
proxy str - HTTP proxy to use.
- str
- HTTP proxy authorization header.
- http_
version float - The HTTP version used for requests.
- https_
proxy str - HTTPS proxy to use.
- str
- HTTPS proxy authorization header.
- insecure_
relaxed_ boolaudience_ validation - If enabled, the plugin will not validate the audience of the access token. Disable it if the authorization server does not correctly set the audience claim according to RFC 8707 and MCP specification. Default: false
- introspection_
endpoint str - The Token Introspection Endpoint. If not provided, the plugin will attempt to use JWKS to verify the token. If the token is opaque, this field must be provided.
- introspection_
format str - Controls introspection response format. possible known values include one of ["base64", "base64url", "string"]
- jwks_
cache_ floatttl - The cache TTL in seconds for JWKS. Default: 3600
- jwks_
endpoint str - The JWKS endpoint URL for fetching the authorization server's public keys. If not provided, the plugin will attempt to discover it from the authorization server metadata.
- jwt_
claims_ floatleeway - The leeway in seconds for JWT claims validation (exp, nbf). This allows tokens that are slightly expired or not yet valid due to clock skew. Default: 0
- keepalive bool
- Enable HTTP keepalive for requests. Default: true
- max_
request_ floatbody_ size - max allowed body size allowed to be handled as MCP request. 0 means unlimited, but the size of this body will still be limited by Nginx's clientmaxbody_size. Default: 1048576
- metadata_
cache_ floatttl - The cache TTL in seconds for discovered authorization server metadata. Default: 3600
- metadata_
discovery_ strendpoint - Custom OAuth 2.0 authorization server metadata discovery URL. If provided, the plugin will use this URL directly instead of trying standard well-known discovery paths. The custom endpoint URL should end with either '/.well-known/openid-configuration' or '/.well-known/oauth-authorization-server'.
- metadata_
discovery_ floatretry - The number of retry attempts for metadata discovery requests per URL. Default: 3
- metadata_
endpoint str - The path for OAuth 2.0 Protected Resource Metadata. Default to $resource/.well-known/oauth-protected-resource. For example, if the configured resource is https://api.example.com/mcp, the metadata endpoint is /mcp/.well-known/oauth-protected-resource.
- mtls_
introspection_ strendpoint - The mTLS alias for the introspection endpoint.
- no_
proxy str - Comma-separated list of hosts to exclude from proxy.
- passthrough_
credentials bool - Keep the credentials used for authentication in the request. If multiple credentials are sent with the same request, the plugin will keep those that were used for successful authentication. Default: false
- scopes_
supporteds Sequence[str] - ssl_
verify bool - Verify the SSL certificate. Default: true
- timeout float
- Network I/O timeout in milliseconds. Default: 10000
- tls_
client_ strauth_ cert - PEM-encoded client certificate for mTLS.
- tls_
client_ strauth_ key - PEM-encoded private key for mTLS.
- tls_
client_ boolauth_ ssl_ verify - Verify server certificate in mTLS. Default: true
- token_
exchange GatewayPlugin Ai Mcp Oauth2Config Token Exchange - Configuration details about token exchange that should happen before reaching upstream MCP server
- upstream_
headers Sequence[GatewayPlugin Ai Mcp Oauth2Config Upstream Header] - Map token claims to upstream headers using path-based access. Each entry specifies a header name and a path (array of strings) to traverse the token claims. Mutually exclusive with claimtoheader.
- List<String>
- resource String
- The resource identifier.
- args Map<String>
- Additional arguments to send in the POST body.
- cache
Introspection Boolean - If enabled, the plugin will cache the introspection response for the access token. This can improve performance by reducing the number of introspection requests to the authorization server. Default: true
- claim
To List<Property Map>Headers - Map top-level token claims to upstream headers. Mutually exclusive with upstream*headers.
- client
Alg String - The client JWT signing algorithm. possible known values include one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"]
- client
Auth String - The client authentication method. possible known values include one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"]
- client
Id String - The client ID for authentication.
- client
Jwk String - The client JWK for privatekeyjwt authentication.
- client
Secret String - The client secret for authentication.
- consumer
Bies List<String> - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. Default: ["custom_id","username"] - consumer
Claims List<String> - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer
Groups List<String>Claims - The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer
Groups BooleanOptional - Do not terminate the request if consumer groups mapping fails. Default: false
- consumer
Optional Boolean - Do not terminate the request if consumer mapping fails. Default: false
- credential
Claims List<String> - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload. Default: ["sub"]
- headers Map<String>
- Additional headers for the introspection request.
- http
Proxy String - HTTP proxy to use.
- String
- HTTP proxy authorization header.
- http
Version Number - The HTTP version used for requests.
- https
Proxy String - HTTPS proxy to use.
- String
- HTTPS proxy authorization header.
- insecure
Relaxed BooleanAudience Validation - If enabled, the plugin will not validate the audience of the access token. Disable it if the authorization server does not correctly set the audience claim according to RFC 8707 and MCP specification. Default: false
- introspection
Endpoint String - The Token Introspection Endpoint. If not provided, the plugin will attempt to use JWKS to verify the token. If the token is opaque, this field must be provided.
- introspection
Format String - Controls introspection response format. possible known values include one of ["base64", "base64url", "string"]
- jwks
Cache NumberTtl - The cache TTL in seconds for JWKS. Default: 3600
- jwks
Endpoint String - The JWKS endpoint URL for fetching the authorization server's public keys. If not provided, the plugin will attempt to discover it from the authorization server metadata.
- jwt
Claims NumberLeeway - The leeway in seconds for JWT claims validation (exp, nbf). This allows tokens that are slightly expired or not yet valid due to clock skew. Default: 0
- keepalive Boolean
- Enable HTTP keepalive for requests. Default: true
- max
Request NumberBody Size - max allowed body size allowed to be handled as MCP request. 0 means unlimited, but the size of this body will still be limited by Nginx's clientmaxbody_size. Default: 1048576
- metadata
Cache NumberTtl - The cache TTL in seconds for discovered authorization server metadata. Default: 3600
- metadata
Discovery StringEndpoint - Custom OAuth 2.0 authorization server metadata discovery URL. If provided, the plugin will use this URL directly instead of trying standard well-known discovery paths. The custom endpoint URL should end with either '/.well-known/openid-configuration' or '/.well-known/oauth-authorization-server'.
- metadata
Discovery NumberRetry - The number of retry attempts for metadata discovery requests per URL. Default: 3
- metadata
Endpoint String - The path for OAuth 2.0 Protected Resource Metadata. Default to $resource/.well-known/oauth-protected-resource. For example, if the configured resource is https://api.example.com/mcp, the metadata endpoint is /mcp/.well-known/oauth-protected-resource.
- mtls
Introspection StringEndpoint - The mTLS alias for the introspection endpoint.
- no
Proxy String - Comma-separated list of hosts to exclude from proxy.
- passthrough
Credentials Boolean - Keep the credentials used for authentication in the request. If multiple credentials are sent with the same request, the plugin will keep those that were used for successful authentication. Default: false
- scopes
Supporteds List<String> - ssl
Verify Boolean - Verify the SSL certificate. Default: true
- timeout Number
- Network I/O timeout in milliseconds. Default: 10000
- tls
Client StringAuth Cert - PEM-encoded client certificate for mTLS.
- tls
Client StringAuth Key - PEM-encoded private key for mTLS.
- tls
Client BooleanAuth Ssl Verify - Verify server certificate in mTLS. Default: true
- token
Exchange Property Map - Configuration details about token exchange that should happen before reaching upstream MCP server
- upstream
Headers List<Property Map> - Map token claims to upstream headers using path-based access. Each entry specifies a header name and a path (array of strings) to traverse the token claims. Mutually exclusive with claimtoheader.
GatewayPluginAiMcpOauth2ConfigClaimToHeader, GatewayPluginAiMcpOauth2ConfigClaimToHeaderArgs
GatewayPluginAiMcpOauth2ConfigTokenExchange, GatewayPluginAiMcpOauth2ConfigTokenExchangeArgs
- Token
Endpoint string - The token exchange endopint.
- Cache
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Cache - Client
Auth string - The type of authentication method to use with the exchange endpoint. Use 'inherit' to use the same clientid, and secret as in introspectionendpoint. possible known values include one of ["clientsecretbasic", "clientsecretpost", "inherit", "none"]; Default: "clientsecretbasic"
- Client
Id string - The client ID for authentication.
- Client
Secret string - The client secret for authentication.
- Enabled bool
- Whether Token Exchange should be enabled. Default: false
- Request
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Request
- Token
Endpoint string - The token exchange endopint.
- Cache
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Cache - Client
Auth string - The type of authentication method to use with the exchange endpoint. Use 'inherit' to use the same clientid, and secret as in introspectionendpoint. possible known values include one of ["clientsecretbasic", "clientsecretpost", "inherit", "none"]; Default: "clientsecretbasic"
- Client
Id string - The client ID for authentication.
- Client
Secret string - The client secret for authentication.
- Enabled bool
- Whether Token Exchange should be enabled. Default: false
- Request
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Request
- token
Endpoint String - The token exchange endopint.
- cache
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Cache - client
Auth String - The type of authentication method to use with the exchange endpoint. Use 'inherit' to use the same clientid, and secret as in introspectionendpoint. possible known values include one of ["clientsecretbasic", "clientsecretpost", "inherit", "none"]; Default: "clientsecretbasic"
- client
Id String - The client ID for authentication.
- client
Secret String - The client secret for authentication.
- enabled Boolean
- Whether Token Exchange should be enabled. Default: false
- request
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Request
- token
Endpoint string - The token exchange endopint.
- cache
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Cache - client
Auth string - The type of authentication method to use with the exchange endpoint. Use 'inherit' to use the same clientid, and secret as in introspectionendpoint. possible known values include one of ["clientsecretbasic", "clientsecretpost", "inherit", "none"]; Default: "clientsecretbasic"
- client
Id string - The client ID for authentication.
- client
Secret string - The client secret for authentication.
- enabled boolean
- Whether Token Exchange should be enabled. Default: false
- request
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Request
- token_
endpoint str - The token exchange endopint.
- cache
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Cache - client_
auth str - The type of authentication method to use with the exchange endpoint. Use 'inherit' to use the same clientid, and secret as in introspectionendpoint. possible known values include one of ["clientsecretbasic", "clientsecretpost", "inherit", "none"]; Default: "clientsecretbasic"
- client_
id str - The client ID for authentication.
- client_
secret str - The client secret for authentication.
- enabled bool
- Whether Token Exchange should be enabled. Default: false
- request
Gateway
Plugin Ai Mcp Oauth2Config Token Exchange Request
- token
Endpoint String - The token exchange endopint.
- cache Property Map
- client
Auth String - The type of authentication method to use with the exchange endpoint. Use 'inherit' to use the same clientid, and secret as in introspectionendpoint. possible known values include one of ["clientsecretbasic", "clientsecretpost", "inherit", "none"]; Default: "clientsecretbasic"
- client
Id String - The client ID for authentication.
- client
Secret String - The client secret for authentication.
- enabled Boolean
- Whether Token Exchange should be enabled. Default: false
- request Property Map
GatewayPluginAiMcpOauth2ConfigTokenExchangeCache, GatewayPluginAiMcpOauth2ConfigTokenExchangeCacheArgs
GatewayPluginAiMcpOauth2ConfigTokenExchangeRequest, GatewayPluginAiMcpOauth2ConfigTokenExchangeRequestArgs
- Actor
Token string - Static actor token value (when source is config).
- Actor
Token stringHeader - Header name containing actor token (when source is header).
- Actor
Token stringSource - Where to obtain actor token. possible known values include one of ["config", "header", "none"]; Default: "none"
- Actor
Token stringType - The token type identifier of actor token. Default: "urn:ietf:params:oauth:token-type:access_token"
- Audiences List<string>
- Audiences used in the token exchange request.
- Requested
Token stringType - The desired output token type. Default: "urn:ietf:params:oauth:token-type:access_token"
- Resource string
- The absolute URI of target MCP service where token will be used.
- Scopes List<string>
- Scopes used in the token exchange request.
- Subject
Token stringType - The type of token to be exchanged. Default: "urn:ietf:params:oauth:token-type:access_token"
- Actor
Token string - Static actor token value (when source is config).
- Actor
Token stringHeader - Header name containing actor token (when source is header).
- Actor
Token stringSource - Where to obtain actor token. possible known values include one of ["config", "header", "none"]; Default: "none"
- Actor
Token stringType - The token type identifier of actor token. Default: "urn:ietf:params:oauth:token-type:access_token"
- Audiences []string
- Audiences used in the token exchange request.
- Requested
Token stringType - The desired output token type. Default: "urn:ietf:params:oauth:token-type:access_token"
- Resource string
- The absolute URI of target MCP service where token will be used.
- Scopes []string
- Scopes used in the token exchange request.
- Subject
Token stringType - The type of token to be exchanged. Default: "urn:ietf:params:oauth:token-type:access_token"
- actor
Token String - Static actor token value (when source is config).
- actor
Token StringHeader - Header name containing actor token (when source is header).
- actor
Token StringSource - Where to obtain actor token. possible known values include one of ["config", "header", "none"]; Default: "none"
- actor
Token StringType - The token type identifier of actor token. Default: "urn:ietf:params:oauth:token-type:access_token"
- audiences List<String>
- Audiences used in the token exchange request.
- requested
Token StringType - The desired output token type. Default: "urn:ietf:params:oauth:token-type:access_token"
- resource String
- The absolute URI of target MCP service where token will be used.
- scopes List<String>
- Scopes used in the token exchange request.
- subject
Token StringType - The type of token to be exchanged. Default: "urn:ietf:params:oauth:token-type:access_token"
- actor
Token string - Static actor token value (when source is config).
- actor
Token stringHeader - Header name containing actor token (when source is header).
- actor
Token stringSource - Where to obtain actor token. possible known values include one of ["config", "header", "none"]; Default: "none"
- actor
Token stringType - The token type identifier of actor token. Default: "urn:ietf:params:oauth:token-type:access_token"
- audiences string[]
- Audiences used in the token exchange request.
- requested
Token stringType - The desired output token type. Default: "urn:ietf:params:oauth:token-type:access_token"
- resource string
- The absolute URI of target MCP service where token will be used.
- scopes string[]
- Scopes used in the token exchange request.
- subject
Token stringType - The type of token to be exchanged. Default: "urn:ietf:params:oauth:token-type:access_token"
- actor_
token str - Static actor token value (when source is config).
- actor_
token_ strheader - Header name containing actor token (when source is header).
- actor_
token_ strsource - Where to obtain actor token. possible known values include one of ["config", "header", "none"]; Default: "none"
- actor_
token_ strtype - The token type identifier of actor token. Default: "urn:ietf:params:oauth:token-type:access_token"
- audiences Sequence[str]
- Audiences used in the token exchange request.
- requested_
token_ strtype - The desired output token type. Default: "urn:ietf:params:oauth:token-type:access_token"
- resource str
- The absolute URI of target MCP service where token will be used.
- scopes Sequence[str]
- Scopes used in the token exchange request.
- subject_
token_ strtype - The type of token to be exchanged. Default: "urn:ietf:params:oauth:token-type:access_token"
- actor
Token String - Static actor token value (when source is config).
- actor
Token StringHeader - Header name containing actor token (when source is header).
- actor
Token StringSource - Where to obtain actor token. possible known values include one of ["config", "header", "none"]; Default: "none"
- actor
Token StringType - The token type identifier of actor token. Default: "urn:ietf:params:oauth:token-type:access_token"
- audiences List<String>
- Audiences used in the token exchange request.
- requested
Token StringType - The desired output token type. Default: "urn:ietf:params:oauth:token-type:access_token"
- resource String
- The absolute URI of target MCP service where token will be used.
- scopes List<String>
- Scopes used in the token exchange request.
- subject
Token StringType - The type of token to be exchanged. Default: "urn:ietf:params:oauth:token-type:access_token"
GatewayPluginAiMcpOauth2ConfigUpstreamHeader, GatewayPluginAiMcpOauth2ConfigUpstreamHeaderArgs
GatewayPluginAiMcpOauth2Ordering, GatewayPluginAiMcpOauth2OrderingArgs
GatewayPluginAiMcpOauth2OrderingAfter, GatewayPluginAiMcpOauth2OrderingAfterArgs
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
GatewayPluginAiMcpOauth2OrderingBefore, GatewayPluginAiMcpOauth2OrderingBeforeArgs
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
GatewayPluginAiMcpOauth2Partial, GatewayPluginAiMcpOauth2PartialArgs
GatewayPluginAiMcpOauth2Route, GatewayPluginAiMcpOauth2RouteArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
GatewayPluginAiMcpOauth2Service, GatewayPluginAiMcpOauth2ServiceArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
Import
In Terraform v1.5.0 and later, the import block can be used with the id attribute, for example:
terraform
import {
to = konnect_gateway_plugin_ai_mcp_oauth2.my_konnect_gateway_plugin_ai_mcp_oauth2
id = jsonencode({
control_plane_id = "9524ec7d-36d9-465d-a8c5-83a3c9390458"
id = "3473c251-5b6c-4f45-b1ff-7ede735a366d"
})
}
The pulumi import command can be used, for example:
$ pulumi import konnect:index/gatewayPluginAiMcpOauth2:GatewayPluginAiMcpOauth2 my_konnect_gateway_plugin_ai_mcp_oauth2 '{"control_plane_id": "9524ec7d-36d9-465d-a8c5-83a3c9390458", "id": "3473c251-5b6c-4f45-b1ff-7ede735a366d"}'
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- konnect kong/terraform-provider-konnect
- License
- Notes
- This Pulumi package is based on the
konnectTerraform Provider.
Viewing docs for konnect 3.14.0
published on Friday, Apr 24, 2026 by kong
published on Friday, Apr 24, 2026 by kong
