Docs Local Kubernetes Blog Enterprise Community Get Started GitHub

Policies

Policies Policy A configuration that manipulates, secures, or observes traffic as it flows through agentgateway. Policies can be attached at the listener, route, or backend level. are a powerful feature of agentgateway that allow you to manipulate traffic as it flows through your gateway. Policies can be used to manipulate traffic, configurable observability, enforce rich security rules, and more.

Attachment points

You can attach policies at the listener Listener An entry point for incoming traffic into agentgateway. Listeners are configured on ports and support HTTP, HTTPS, TCP, and TLS protocols. , route Route A rule that matches incoming requests and forwards them to backends. Routes can match on path, hostname, headers, query parameters, and HTTP methods. , or backend Backend A destination service that receives traffic from agentgateway. Backends can be static hosts, MCP servers, LLM providers, or other services. level to provide fine-grained control over traffic.

Policies that are attached at multiple levels are applied at all levels.

Section Available Policies Phase
Listener JWT JWT (JSON Web Token) A compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication and authorization in agentgateway. , External Authorization, External Processing ExtProc (External Processing) An advanced filter that allows arbitrary modifications to HTTP requests and responses using an external gRPC processing server. ExtProc is API-compatible with Envoy's External Processing service. , Transformation Transformation The process of modifying HTTP requests or responses as they pass through agentgateway. Transformations can change headers, body content, and other request/response attributes. , Basic Authentication Authentication (AuthN) The process of verifying the identity of a user or service. Agentgateway supports various authentication methods including JWT, API keys, and basic authentication. , API Key API Key A secret token used to authenticate API requests. Agentgateway can validate API keys and attach metadata to authenticated requests. authentication Runs before route selection
Route All Policies Runs after route selection, before backend selection
Backend Backend TLS, Backend Authentication, Backend HTTP, Backend TCP, AI/LLM, MCP Authorization, MCP Authentication, Header modification Runs after backend selection

Example policy configuration

Review the following example configuration that uses one of each policy type.

binds:
- port: 3000
  listeners:
  # Listener level policy
  # Enforces that incoming requests have a valid 




  API key
  
    API Key
    A secret token used to authenticate API requests. Agentgateway can validate API keys and attach metadata to authenticated requests.
    
  




  - policies:
      apiKey:
        mode: strict
        keys:
        - key: sk-testkey-1
          metadata:
            user: test
            role: admin
    routes:
    # Route level policy
    # Adds a header (based on a 




  CEL
  
    CEL (Common Expression Language)
    A simple expression language used throughout agentgateway to enable flexible configuration. CEL expressions can access request context, JWT claims, and other variables to make dynamic decisions.
    
  



 expression) with the authenticated user (based on the API key)
    - policies:
        transformations:
          request:
            set:
              x-authenticated-user: apiKey.user
      backends:
      - host: localhost:8080
        # Backend level policy
        # Adds an Authorization header to outgoing requests
        policies:
          backendAuth:
            key: my-authorization-header

More policy configuration guides

For more information about available policies, review the following guides:

Traffic management Resiliency Security
Static configurationListeners