For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.
Attachment points
Learn how to attach policies to different resources in agentgateway.
You can attach policies at the listenerListenerAn entry point for incoming traffic into agentgateway. Listeners are configured on ports and support HTTP, HTTPS, TCP, and TLS protocols., routeRouteA rule that matches incoming requests and forwards them to backends. Routes can match on path, hostname, headers, query parameters, and HTTP methods., or backendBackendA destination service that receives traffic from agentgateway. Backends can be static hosts, MCP servers, LLM providers, or other services. level to provide fine-grained control over traffic.
Phases
Policies that are attached at multiple levels are applied at all levels.
| Section | Available Policies | Phase |
|---|---|---|
| Listener | JWTJWT (JSON Web Token)A compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication and authorization in agentgateway., External Authorization, External ProcessingExtProc (External Processing)An advanced filter that allows arbitrary modifications to HTTP requests and responses using an external gRPC processing server. ExtProc is API-compatible with Envoy's External Processing service., TransformationTransformationThe process of modifying HTTP requests or responses as they pass through agentgateway. Transformations can change headers, body content, and other request/response attributes., Basic AuthenticationAuthentication (AuthN)The process of verifying the identity of a user or service. Agentgateway supports various authentication methods including JWT, API keys, and basic authentication., API KeyAPI KeyA secret token used to authenticate API requests. Agentgateway can validate API keys and attach metadata to authenticated requests. authentication | Runs before route selection |
| Route | All Policies | Runs after route selection, before backend selection |
| Backend | Backend TLS, Backend Authentication, Backend HTTP, Backend TCP, AI/LLM, MCP Authorization, MCP Authentication, Header modification | Runs after backend selection |
Example policy configuration
Review the following example configuration that uses one of each policy type.
# yaml-language-server: $schema=https://agentgateway.dev/schema/config
binds:
- port: 3000
listeners:
# Listener level policy
# Enforces that incoming requests have a valid API keyAPI KeyA secret token used to authenticate API requests. Agentgateway can validate API keys and attach metadata to authenticated requests.
- policies:
apiKey:
mode: strict
keys:
- key: sk-testkey-1
metadata:
user: test
role: admin
routes:
# Route level policy
# Adds a header (based on a CELCEL (Common Expression Language)A simple expression language used throughout agentgateway to enable flexible configuration. CEL expressions can access request context, JWT claims, and other variables to make dynamic decisions. expression) with the authenticated user (based on the API key)
- policies:
transformations:
request:
set:
x-authenticated-user: apiKey.user
backends:
- host: localhost:8080
# Backend level policy
# Adds an Authorization header to outgoing requests
policies:
backendAuth:
key: my-authorization-headerMore policy configuration guides
For more information about available policies, review the following guides:
