Schema Reference

Anthropic Messages Decoder Configuration

Configuration for the Anthropic Messages Decoder extension. Decodes Anthropic Messages API requests and responses, exposing structured metadata for downstream filters.

metadata_namespace

Filter metadata namespace for decoded fields. Defaults to “io.builtonenvoy.anthropic” if not set.

↑ Top | ↑ Anthropic Messages Decoder Configuration

Azure Content Safety Configuration

Configuration for the Azure AI Content Safety extension. Integrates with Azure Content Safety to analyze LLM prompts and responses for harmful content.

api_key

API subscription key for the Azure Content Safety resource.

↑ Top | ↑ Azure Content Safety Configuration

api_version

Azure API version string. Defaults to “2024-09-01”.

↑ Top | ↑ Azure Content Safety Configuration

categories

Content categories to analyze. Defaults to [“Hate”, “SelfHarm”, “Sexual”, “Violence”].

↑ Top | ↑ Azure Content Safety Configuration

enable_protected_material

Enable protected material detection on responses. Defaults to false.

↑ Top | ↑ Azure Content Safety Configuration

enable_task_adherence

Enable task adherence detection on requests. Defaults to false.

↑ Top | ↑ Azure Content Safety Configuration

endpoint

Azure Content Safety resource endpoint URL (e.g. “https://my-resource.cognitiveservices.azure.com”).

↑ Top | ↑ Azure Content Safety Configuration

fail_open

If true, allow traffic when the Azure API returns an error. Defaults to false.

↑ Top | ↑ Azure Content Safety Configuration

hate_threshold

Severity threshold for hate content (0-6). Content at or above this level is flagged. Defaults to 2.

↑ Top | ↑ Azure Content Safety Configuration

mode

Operating mode. “block” rejects harmful content, “monitor” logs but allows it. Defaults to “block”.

↑ Top | ↑ Azure Content Safety Configuration

self_harm_threshold

Severity threshold for self-harm content (0-6). Content at or above this level is flagged. Defaults to 2.

↑ Top | ↑ Azure Content Safety Configuration

sexual_threshold

Severity threshold for sexual content (0-6). Content at or above this level is flagged. Defaults to 2.

↑ Top | ↑ Azure Content Safety Configuration

task_adherence_api_version

Azure API version for the task adherence endpoint. Defaults to “2025-09-15-preview”.

↑ Top | ↑ Azure Content Safety Configuration

violence_threshold

Severity threshold for violence content (0-6). Content at or above this level is flagged. Defaults to 2.

↑ Top | ↑ Azure Content Safety Configuration

Custom type: DataSource

A data source provided either inline or as a file path. Exactly one must be set. Requires one of: inline, file

file

Path to a file containing the data.

↑ Top | ↑ Azure Content Safety Configuration

inline

Data provided directly as a string.

↑ Top | ↑ Azure Content Safety Configuration

Bedrock Guardrails Configuration

Configuration for the AWS Bedrock Guardrails extension. Applies Bedrock Guardrails to evaluate LLM prompts for content moderation.

bedrock_api_key

API key for AWS Bedrock authentication.

↑ Top | ↑ Bedrock Guardrails Configuration

bedrock_cluster

Envoy cluster name configured to reach the Bedrock endpoint.

↑ Top | ↑ Bedrock Guardrails Configuration

bedrock_endpoint

AWS Bedrock API endpoint URL (e.g. “https://bedrock-runtime.us-east-1.amazonaws.com”).

↑ Top | ↑ Bedrock Guardrails Configuration

bedrock_guardrails

List of Bedrock guardrails to apply. Duplicate identifiers are removed automatically.

↑ Top | ↑ Bedrock Guardrails Configuration

bedrock_guardrails.identifier

Unique guardrail identifier.

↑ Top | ↑ Bedrock Guardrails Configuration

bedrock_guardrails.version

Guardrail version to apply.

↑ Top | ↑ Bedrock Guardrails Configuration

bedrock_timeoutms

API request timeout in milliseconds. Defaults to 20000 (20 seconds).

↑ Top | ↑ Bedrock Guardrails Configuration

Cedar Authorization Configuration

Configuration for the Cedar authorization extension. Evaluates Cedar policies inline to authorize HTTP requests.

action_type

Cedar entity type for actions. Defaults to “Action”.

↑ Top | ↑ Cedar Authorization Configuration

deny_body

Response body returned when a request is denied. Defaults to “Forbidden”.

↑ Top | ↑ Cedar Authorization Configuration

deny_headers

Additional headers to include in deny responses.

↑ Top | ↑ Cedar Authorization Configuration

deny_status

HTTP status code returned when a request is denied. Defaults to 403.

↑ Top | ↑ Cedar Authorization Configuration

dry_run

If true, log authorization decisions without enforcing them. Defaults to false.

↑ Top | ↑ Cedar Authorization Configuration

entities_file

Path to a JSON file containing Cedar entities for hierarchy support.

↑ Top | ↑ Cedar Authorization Configuration

fail_open

If true, allow requests when policy evaluation fails. Defaults to false.

↑ Top | ↑ Cedar Authorization Configuration

metadata_namespaces

List of dynamic metadata namespaces to include in the Cedar context record under the “dynamic_metadata” key.

↑ Top | ↑ Cedar Authorization Configuration

policy

Cedar policy set to evaluate.

↑ Top | ↑ Cedar Authorization Configuration

principal_id_header

Request header from which to extract the principal ID.

↑ Top | ↑ Cedar Authorization Configuration

principal_type

Cedar entity type for the principal (e.g. “User”).

↑ Top | ↑ Cedar Authorization Configuration

resource_type

Cedar entity type for resources. Defaults to “Resource”.

↑ Top | ↑ Cedar Authorization Configuration

Custom type: DataSource

A data source provided either inline or as a file path. Exactly one must be set. Requires one of: inline, file

file

Path to a file containing the data.

↑ Top | ↑ Cedar Authorization Configuration

inline

Data provided directly as a string.

↑ Top | ↑ Cedar Authorization Configuration

Chat Completions Decoder Configuration

Configuration for the Chat Completions Decoder extension. Decodes OpenAI Chat Completion requests and responses, exposing structured metadata for downstream filters.

metadata_namespace

Filter metadata namespace for decoded fields. Defaults to “io.builtonenvoy.openai” if not set.

↑ Top | ↑ Chat Completions Decoder Configuration

Coraza WAF Configuration

Configuration for the Coraza WAF extension. Provides Web Application Firewall protection using SecLang directives.

directives

List of Coraza SecLang directives. Each entry is a single directive string. Special includes are supported: “Include @recommended.conf”, “Include @crs-setup.conf”, “Include @owasp_crs/*.conf”.

↑ Top | ↑ Coraza WAF Configuration

mode

WAF inspection mode. Defaults to “REQUEST_ONLY” if not set.

↑ Top | ↑ Coraza WAF Configuration

File Server Configuration

Configuration for the File Server extension. Serves static files from the local filesystem through Envoy.

content_types

Custom file extension to content-type mappings. Keys are file suffixes without dots (e.g. “html”, “css”).

↑ Top | ↑ File Server Configuration

default_content_type

Default content-type when the file extension is not found in content_types.

↑ Top | ↑ File Server Configuration

directory_index_files

Files to serve for directory requests (e.g. [“index.html”]). File names must not contain slashes.

↑ Top | ↑ File Server Configuration

path_mappings

Mappings from URL path prefixes to filesystem path prefixes. At least one mapping is required. Duplicate request path prefixes are not allowed.

↑ Top | ↑ File Server Configuration

path_mappings.file_path_prefix

Filesystem path prefix to map to (e.g. “/var/www/”).

↑ Top | ↑ File Server Configuration

path_mappings.request_path_prefix

URL path prefix to match (e.g. “/static/”).

↑ Top | ↑ File Server Configuration

IP Restriction Configuration

Configuration for the IP Restriction extension. Controls access based on IP allowlists or denylists. Exactly one of allow_addresses or deny_addresses must be provided. Requires one of: allow_addresses, deny_addressess

allow_addresses

IP addresses or CIDR ranges to allow. When set, only requests from these addresses are permitted.

↑ Top | ↑ IP Restriction Configuration

deny_addresses

IP addresses or CIDR ranges to deny. When set, requests from these addresses are blocked with 403 Forbidden.

↑ Top | ↑ IP Restriction Configuration

JWE Decrypt Configuration

Configuration for the JWE Decrypt extension. Decrypts JWE tokens and recovers the inner JWT for Envoy to process.

algorithm

JWE key management algorithm (e.g. “RSA-OAEP”, “A256KW”, “dir”).

↑ Top | ↑ JWE Decrypt Configuration

input_header

Request header containing the JWE token. Defaults to “Authorization”.

↑ Top | ↑ JWE Decrypt Configuration

output_header

Request header where the decrypted JWT payload is placed.

↑ Top | ↑ JWE Decrypt Configuration

output_metadata

Envoy dynamic metadata location for the decrypted JWT payload. Namespace defaults to “jwe-decrypt”.

↑ Top | ↑ JWE Decrypt Configuration

prefix

Prefix to strip from the header value before decryption (e.g. “Bearer ”).

↑ Top | ↑ JWE Decrypt Configuration

private_key

PKCS8 private key used for JWE decryption.

↑ Top | ↑ JWE Decrypt Configuration

Custom type: DataSource

A data source provided either inline or as a file path. Exactly one must be set. Requires one of: inline, file

file

Path to a file containing the data.

↑ Top | ↑ JWE Decrypt Configuration

inline

Data provided directly as a string.

↑ Top | ↑ JWE Decrypt Configuration

Custom type: MetadataKey

Identifies a location in Envoy dynamic metadata.

key

Key within the namespace.

↑ Top | ↑ JWE Decrypt Configuration

namespace

Filter-state namespace for the metadata entry.

↑ Top | ↑ JWE Decrypt Configuration

LLM Proxy Configuration

Configuration for the LLM Proxy extension. Routes LLM API requests by model name and monitors token usage via Envoy metadata.

clear_route_cache

Clear Envoy route cache after setting metadata, enabling route re-selection. Defaults to false.

↑ Top | ↑ LLM Proxy Configuration

llm_configs

Path-matcher rules mapping request paths to LLM API kinds. If empty, default rules for OpenAI and Anthropic are auto-configured.

↑ Top | ↑ LLM Proxy Configuration

llm_configs.kind

LLM API kind for matched requests.

↑ Top | ↑ LLM Proxy Configuration

llm_configs.matcher

Path matcher for this rule.

↑ Top | ↑ LLM Proxy Configuration

llm_model_header

Request header to set with the extracted model name.

↑ Top | ↑ LLM Proxy Configuration

metadata_namespace

Filter metadata namespace for LLM proxy data. Defaults to “io.builtonenvoy.llm-proxy”.

↑ Top | ↑ LLM Proxy Configuration

Custom type: StringMatcher

Matches a string by prefix, suffix, or regex. Exactly one must be set. Requires one of: prefix, suffix, regex

prefix

Match strings starting with this value.

↑ Top | ↑ LLM Proxy Configuration

regex

Match strings satisfying this regular expression.

↑ Top | ↑ LLM Proxy Configuration

suffix

Match strings ending with this value.

↑ Top | ↑ LLM Proxy Configuration

OPA Authorization Configuration

Configuration for the OPA authorization extension. Evaluates Open Policy Agent policies inline to authorize HTTP requests.

decision_path

OPA rule path to query for the authorization decision. Defaults to “envoy.authz.allow”.

↑ Top | ↑ OPA Authorization Configuration

dry_run

If true, log authorization decisions without enforcing them. Defaults to false.

↑ Top | ↑ OPA Authorization Configuration

fail_open

If true, allow requests when policy evaluation fails. Defaults to false.

↑ Top | ↑ OPA Authorization Configuration

metadata_namespaces

List of dynamic metadata namespaces to include in the OPA input document under the “dynamic_metadata” key.

↑ Top | ↑ OPA Authorization Configuration

policies

OPA policies to load and evaluate. At least one policy is required.

↑ Top | ↑ OPA Authorization Configuration

with_body

If true, buffer the request body and include it as parsed JSON in the OPA input. Defaults to false.

↑ Top | ↑ OPA Authorization Configuration

Custom type: DataSource

A data source provided either inline or as a file path. Exactly one must be set. Requires one of: inline, file

file

Path to a file containing the data.

↑ Top | ↑ OPA Authorization Configuration

inline

Data provided directly as a string.

↑ Top | ↑ OPA Authorization Configuration

OpenAPI Validator Configuration

Configuration for the OpenAPI Validator extension. Validates HTTP requests against an OpenAPI specification.

allow_unmatched_paths

If true, allow requests to paths not defined in the spec. Defaults to false.

↑ Top | ↑ OpenAPI Validator Configuration

deny_response

Custom response returned when validation fails.

↑ Top | ↑ OpenAPI Validator Configuration

dry_run

If true, log validation failures without rejecting requests. Defaults to false.

↑ Top | ↑ OpenAPI Validator Configuration

max_body_bytes

Maximum request body size in bytes for validation. 0 means no limit. Defaults to 0.

↑ Top | ↑ OpenAPI Validator Configuration

spec

OpenAPI specification in YAML or JSON format.

↑ Top | ↑ OpenAPI Validator Configuration

Custom type: DataSource

A data source provided either inline or as a file path. Exactly one must be set. Requires one of: inline, file

file

Path to a file containing the data.

↑ Top | ↑ OpenAPI Validator Configuration

inline

Data provided directly as a string.

↑ Top | ↑ OpenAPI Validator Configuration

Custom type: LocalResponse

Custom local HTTP response to send to the client.

body

Response body.

↑ Top | ↑ OpenAPI Validator Configuration

headers

Additional response headers.

↑ Top | ↑ OpenAPI Validator Configuration

status

HTTP status code.

↑ Top | ↑ OpenAPI Validator Configuration

OpenFGA Authorization Configuration

Configuration for the OpenFGA authorization extension. Checks authorization via the OpenFGA Check API through Envoy’s async HTTP callout mechanism.

authorization_model_id

OpenFGA authorization model ID. Uses the store’s latest model if omitted.

↑ Top | ↑ OpenFGA Authorization Configuration

callout_headers

Additional headers to include in callouts to OpenFGA (e.g. Authorization).

↑ Top | ↑ OpenFGA Authorization Configuration

cluster

Envoy cluster name routing to the OpenFGA server.

↑ Top | ↑ OpenFGA Authorization Configuration

consistency

OpenFGA Check consistency preference.

↑ Top | ↑ OpenFGA Authorization Configuration

context

ABAC condition context values. Maps field names to ValueSource objects. Fields that resolve to an empty value are omitted.

↑ Top | ↑ OpenFGA Authorization Configuration

contextual_tuples

Contextual tuples included in the Check request for request-scoped relationships. Tuples with unresolvable fields are silently skipped.

↑ Top | ↑ OpenFGA Authorization Configuration

deny_body

Response body for denied requests. Defaults to ‘Forbidden’.

↑ Top | ↑ OpenFGA Authorization Configuration

deny_status

HTTP status code for denied requests. Defaults to 403.

↑ Top | ↑ OpenFGA Authorization Configuration

dry_run

Log authorization decisions without enforcing them. Defaults to false.

↑ Top | ↑ OpenFGA Authorization Configuration

fail_open

Allow requests when the filter cannot enforce a decision. Defaults to false.

↑ Top | ↑ OpenFGA Authorization Configuration

metadata

When set, writes the authorization decision to dynamic metadata for downstream filters.

↑ Top | ↑ OpenFGA Authorization Configuration

object

How to extract the object for the Check call. Required when not using rules.

↑ Top | ↑ OpenFGA Authorization Configuration

openfga_host

Hostname for the Host header in callouts to OpenFGA.

↑ Top | ↑ OpenFGA Authorization Configuration

relation

How to extract the relation for the Check call. Required when not using rules.

↑ Top | ↑ OpenFGA Authorization Configuration

rules

Multi-rule config evaluated in order; first match wins. A rule with no match is a catch-all and must be last.

↑ Top | ↑ OpenFGA Authorization Configuration

store_id

OpenFGA store ID.

↑ Top | ↑ OpenFGA Authorization Configuration

timeout_ms

HTTP callout timeout in milliseconds. Defaults to 5000.

↑ Top | ↑ OpenFGA Authorization Configuration

user

How to extract the user for the Check call. Required when using rules.

↑ Top | ↑ OpenFGA Authorization Configuration

Custom type: CheckRule

A rule defining how to build the Check tuple for a matched request.

match

Conditions for this rule to match. Omit for a catch-all rule.

↑ Top | ↑ OpenFGA Authorization Configuration

object

How to extract the object for this rule.

↑ Top | ↑ OpenFGA Authorization Configuration

relation

How to extract the relation for this rule.

↑ Top | ↑ OpenFGA Authorization Configuration

user

Per-rule user override. Falls back to top-level user if omitted.

↑ Top | ↑ OpenFGA Authorization Configuration

Custom type: ContextualTuple

A contextual tuple with user, relation, and object value sources.

object

↑ Top | ↑ OpenFGA Authorization Configuration

relation

↑ Top | ↑ OpenFGA Authorization Configuration

user

↑ Top | ↑ OpenFGA Authorization Configuration

Custom type: MetadataKey

Dynamic metadata configuration for writing authorization decisions.

key

Key under which the decision is stored within the namespace.

↑ Top | ↑ OpenFGA Authorization Configuration

namespace

Filter-state namespace for the metadata entry.

↑ Top | ↑ OpenFGA Authorization Configuration

Custom type: RuleMatch

Conditions for a rule to match. All specified headers must match.

headers

Header name to match value. Use ”*” to require the header to be present with any non-empty value.

↑ Top | ↑ OpenFGA Authorization Configuration

Custom type: ValueSource

Extracts a value from the request. Exactly one of value, header, path_segment, or query_param must be set.

header

Read value from this request header.

↑ Top | ↑ OpenFGA Authorization Configuration

path_segment

Extract the URL path segment at this 0-based index. Negative values count from the end.

↑ Top | ↑ OpenFGA Authorization Configuration

prefix

Prepend this string to the extracted value.

↑ Top | ↑ OpenFGA Authorization Configuration

query_param

Extract the first value of this named query parameter.

↑ Top | ↑ OpenFGA Authorization Configuration

value

Static value used as-is.

↑ Top | ↑ OpenFGA Authorization Configuration

SAML Configuration

Configuration for the SAML 2.0 Service Provider authentication extension. Requires one of: idp_metadata_xml, idp_metadata_urls

acs_path

Assertion Consumer Service endpoint path (e.g. “/saml/acs”).

↑ Top | ↑ SAML Configuration

allowed_clock_skew

Allowed clock skew for time validation as a Go duration string. Defaults to “5s”.

↑ Top | ↑ SAML Configuration

attribute_headers

Map of SAML attribute names to request header names for forwarding assertions.

↑ Top | ↑ SAML Configuration

bypass_paths

URL paths that bypass SAML authentication.

↑ Top | ↑ SAML Configuration

default_redirect_path

Post-login redirect path when RelayState is empty. Defaults to ”/”.

↑ Top | ↑ SAML Configuration

entity_id

Service Provider entity ID (audience URI).

↑ Top | ↑ SAML Configuration

idp_metadata_cluster

Envoy cluster used to reach idp_metadata_url. Required when idp_metadata_url is set.

↑ Top | ↑ SAML Configuration

idp_metadata_fetch_delay

Delay before the IdP metadata HttpCallout is issued, as a Go duration string (e.g. “1s”, ”30s”). Defaults to “1s”. Gives Envoy time to start the cluster referenced by idp_metadata_cluster before the callout fires. Only valid in URL mode.

↑ Top | ↑ SAML Configuration

idp_metadata_fetch_max_attempts

Total number of IdP metadata fetch attempts (initial + retries) before giving up. Retries are separated by idp_metadata_fetch_delay. Defaults to 3. Only valid in URL mode.

↑ Top | ↑ SAML Configuration

idp_metadata_url

URL to fetch the Identity Provider SAML metadata XML at config-load time. Requires idp_metadata_cluster. Mutually exclusive with idp_metadata_xml.

↑ Top | ↑ SAML Configuration

idp_metadata_xml

Identity Provider SAML metadata XML, supplied inline or read from a file at config-load time. Mutually exclusive with idp_metadata_url.

↑ Top | ↑ SAML Configuration

metadata_path

SP metadata endpoint path. Defaults to “/saml/metadata”.

↑ Top | ↑ SAML Configuration

name_id_format

NameID format to request from the IdP. Defaults to “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.

↑ Top | ↑ SAML Configuration

session

Session and cookie configuration.

↑ Top | ↑ SAML Configuration

session.cookie_domain

Cookie domain attribute. If empty, the cookie is scoped to the request host.

↑ Top | ↑ SAML Configuration

session.cookie_name

Session cookie name. Defaults to “_saml_session”.

↑ Top | ↑ SAML Configuration

session.cookie_secure

Set the Secure flag on the session cookie. Defaults to true.

↑ Top | ↑ SAML Configuration

session.cookie_signing_key

64 hex characters (32 bytes) used as HMAC key for cookie signing. Auto-generated if not set.

↑ Top | ↑ SAML Configuration

session.duration

Session duration as a Go duration string (e.g. “8h”, “30m”). Defaults to “8h”.

↑ Top | ↑ SAML Configuration

sign_authn_requests

Sign AuthnRequests sent to the IdP. Defaults to true.

↑ Top | ↑ SAML Configuration

slo_path

Single Logout endpoint path. Defaults to “/saml/slo”.

↑ Top | ↑ SAML Configuration

sp_cert_pem

SP certificate in PEM format. If omitted, a self-signed certificate is auto-generated. Must be provided together with sp_key_pem.

↑ Top | ↑ SAML Configuration

sp_key_pem

SP private key in PEM format. Must be provided together with sp_cert_pem.

↑ Top | ↑ SAML Configuration

subject_header

Request header for the authenticated user’s NameID. Defaults to “x-saml-subject”.

↑ Top | ↑ SAML Configuration

Custom type: DataSource

A data source provided either inline or as a file path. Exactly one must be set. Requires one of: inline, file

file

Path to a file containing the data.

↑ Top | ↑ SAML Configuration

inline

Data provided directly as a string.

↑ Top | ↑ SAML Configuration

Token Exchange Configuration

Configuration for the OAuth2 Token Exchange (RFC 8693) extension.

actor_token

Actor token for delegation scenarios. Requires actor_token_type.

↑ Top | ↑ Token Exchange Configuration

actor_token_type

Token type URI for the actor token. Required when actor_token is set.

↑ Top | ↑ Token Exchange Configuration

audience

Logical name of the target service.

↑ Top | ↑ Token Exchange Configuration

client_id

Client ID for HTTP Basic authentication with the STS endpoint.

↑ Top | ↑ Token Exchange Configuration

client_secret

Client secret for HTTP Basic authentication with the STS endpoint.

↑ Top | ↑ Token Exchange Configuration

cluster

Envoy cluster name configured to reach the token exchange (STS) endpoint.

↑ Top | ↑ Token Exchange Configuration

requested_token_type

Desired output token type URI.

↑ Top | ↑ Token Exchange Configuration

resource

Target resource URI. Must be an absolute URI without a fragment component.

↑ Top | ↑ Token Exchange Configuration

scope

Space-delimited list of requested scopes.

↑ Top | ↑ Token Exchange Configuration

subject_token_type

Token type URI for the input subject token. Defaults to “urn:ietf:params:oauth:token-type:access_token”.

↑ Top | ↑ Token Exchange Configuration

timeout_ms

HTTP callout timeout in milliseconds. Defaults to 5000.

↑ Top | ↑ Token Exchange Configuration

token_exchange_url

Token exchange endpoint URL. Must contain a host and path (e.g. “https://idp.example.com/token”).

↑ Top | ↑ Token Exchange Configuration