kongctl Declarative Resource Reference
July 16, 2026 ยท View on GitHub
This document is a reference for kongctl declarative
configuration. It lists supported resource types and common field-level values.
Resource configurations are provided as YAML files and can be expressed as one
or more files passed to kongctl declarative commands.
The definitive schema for the version of kongctl you are using is generated
by the CLI itself:
kongctl explain api
kongctl explain portal.identity_providers --output yaml
kongctl scaffold api
Use kongctl explain to confirm accepted field names, required fields,
preferred YAML tags, root keys, and nested or root declaration support. Use
kongctl scaffold to generate starter YAML for a resource path. If this page
differs from the installed CLI, follow the CLI output.
See the declarative configuration guide for information on the feature, commands, and options.
File-level defaults (_defaults)
Use _defaults.kongctl to apply default namespace and protected metadata
to parent resources in this file. Resource-level kongctl values override
these defaults.
_defaults:
kongctl:
namespace: platform-team
protected: false
YAML Tags
Use YAML tags in field values to load files or reference other resources.
!file: Load content from a file. Supportspath#extract.pathandpath/extractmap form.!env: Load string content from an environment variable. SupportsVAR#extract.pathandvar/extractmap form.!ref: Reference another declarative resource byref.resource-ref#fieldis supported; the default field isid.!refis intended for string fields.string (uuid)andarray[string(uuid)]annotations in this document describe API value types. In declarative config, prefer!refand avoid literal UUID values.- For unmanaged/external resources, prefer
_external.selectorand then reference that resource by!reffrom other fields. - Large text/spec fields are commonly loaded with
!file. !filepaths are resolved relative to the config file and must remain within the configured base directory boundary.
portals:
- ref: docs-portal
_external:
selector:
matchFields:
name: "Docs Portal"
apis:
- ref: billing-api
publications:
- ref: billing-publication
portal_id: !ref docs-portal
Audit Logs
Audit-log webhook destinations are organization-scoped Konnect resources. Declarative config supports them as external references so managed portal audit-log webhooks can point at destinations created elsewhere.
audit-logs:
destinations:
- ref: string
_external:
id: string # destination UUID, or use selector
selector:
matchFields:
name: string
Only _external.id and _external.selector.matchFields.name are supported.
Audit-log webhook destinations cannot declare kongctl metadata and are not
created, updated, or deleted by declarative apply.
APIs
apis:
- ref: string
name: string required (1-255 chars)
description: string (nullable)
version: string (1-255 chars, nullable)
slug: string (pattern: ^[\w-]+$, nullable)
labels: object [string]string
key: value
attributes: object [string]array[string]
key:
- value
versions: # https://developer.konghq.com/api/konnect/api-builder/v3/#/operations/create-api-version
- ref: string
version: string
spec: !file ./specs/api.yaml # required (OpenAPI or AsyncAPI content; json or yaml)
publications: # https://developer.konghq.com/api/konnect/api-builder/v3/#/operations/publish-api-to-portal
- ref: string
portal_id: string required (uuid) # prefer: !ref <portal-ref>
auto_approve_registrations: boolean
auth_strategy_ids: array[string(uuid)] (nullable, max 1 item) # prefer: !ref values
visibility: One of (public | private)
implementations: # https://developer.konghq.com/api/konnect/api-builder/v3/#/operations/create-api-implementation
- ref: string
type: service
service:
id: string required (uuid) # prefer: !ref <gateway-service-ref>
control_plane_id: string required (uuid) # prefer: !ref <control-plane-ref>
documents: # https://developer.konghq.com/api/konnect/api-builder/v3/#/operations/create-api-document
- ref: string
content: string required (markdown) # prefer: !file ./docs/page.md
title: string
slug: string (pattern: ^[\w-]+$)
status: One of (published | unpublished)
parent_document_id: string (uuid, nullable) # prefer: !ref <document-ref>
children:
- ref: string
content: string required (markdown) # prefer: !file ./docs/page.md
title: string
slug: string (pattern: ^[\w-]+$)
status: One of (published | unpublished)
API specifications must be declared on API versions with versions[].spec or
root-level api_versions[].spec; apis[].spec_content is not supported in
declarative configuration.
Application Auth Strategies
application_auth_strategies:
- ref: string
name: string required
display_name: string required
strategy_type: One of (key_auth | openid_connect) required
configs: object required
key-auth: # if strategy_type: key_auth
key_names: array[string] required (1-10 items)
ttl: object
value: integer required (minimum: 1)
unit: One of (days | weeks | years) required
openid-connect: # if strategy_type: openid_connect
issuer: string (url, max 256 chars) required
credential_claim: array[string] required (max 10 items)
scopes: array[string] required (max 50 items)
auth_methods: array[string] required (max 10 items)
dcr_provider_id: string (uuid, nullable; openid_connect only) # prefer: !ref <dcr-provider-ref>
labels: object [string]string
key: value
DCR Providers
dcr_providers:
- ref: string
name: string required
display_name: string
provider_type: One of (auth0 | azureAd | curity | okta | http) required
issuer: string (url, max 256 chars) required
dcr_config: object required
labels: object [string]string
key: value
Catalog Services
catalog_services:
- ref: string
name: string required (1-120 chars, pattern: ^[0-9a-z.-]+$)
display_name: string required (1-120 chars)
description: string (max 2048 chars)
labels: object [string]string
key: value
custom_fields: object
key: value
Dashboards
Dashboard names do not need to be unique in Konnect, but kongctl follows the
same resource matching pattern used elsewhere in declarative configuration.
When planning against live state, it considers dashboards with the matching
KONGCTL-namespace label and matches the desired dashboard by name. Avoid
duplicate dashboard names within a kongctl namespace.
Dashboard resources are declared under the analytics grouping key.
For dashboards created in the Konnect UI, first run
kongctl adopt analytics dashboard with the dashboard ID to apply the
namespace label, then run kongctl dump declarative with
--resources=analytics.dashboards and --default-namespace <name> to generate
declarative configuration. Name-based adoption fails if the name matches
multiple dashboards.
Use the dashboard definition JSON exported from Konnect as the definition
value. The field accepts that API-shaped object either inline or loaded from a
JSON/YAML file with !file; kongctl sends the parsed object as the dashboard
definition without translating it to another schema. !file is preferred for
larger dashboard definitions.
analytics:
dashboards:
- ref: string
name: string required
definition: object required # prefer: !file ./definitions/dashboard.json
tiles: array[object] required
preset_filters: array[object]
labels: object [string]string
key: value
When the exported JSON includes the full API response, use #definition to
extract the payload expected by the dashboard API:
analytics:
dashboards:
- ref: traffic-summary
name: Traffic Summary
definition: !file ./exports/traffic-summary.json#definition
Control Planes
control_planes:
- ref: string
name: string required
description: string
cluster_type: >-
One of (CLUSTER_TYPE_CONTROL_PLANE |
CLUSTER_TYPE_K8S_INGRESS_CONTROLLER |
CLUSTER_TYPE_CONTROL_PLANE_GROUP |
CLUSTER_TYPE_SERVERLESS |
CLUSTER_TYPE_SERVERLESS_V1)
auth_type: One of (pinned_client_certs | pki_client_certs)
cloud_gateway: boolean
proxy_urls: array[object]
- host: string required
port: integer required
protocol: string required
labels: object [string]string
key: value
_deck:
files: array[string]
flags: array[string]
_external:
selector:
matchFields:
name: string
requires:
deck: boolean
gateway_services:
- ref: string
# _external only, Kong Gateway resources are managed by deck
_external:
selector:
matchFields:
name: string
# API: create-dataplane-certificate
data_plane_certificates:
- ref: string
cert: string required # prefer: !file ./certs/data-plane.pem
Control plane data plane certificates can also be declared as root resources.
The certificate contents identify a certificate within its control plane when
a certificate ID is not available. The cert field supports !file and
!env.
control_plane_data_plane_certificates:
- ref: string
control_plane: string required # control plane ref
cert: string required # prefer: !file ./certs/data-plane.pem
AI Gateways
This section covers the root AI Gateway resource backed by the Konnect
/v1/ai-gateways API, AI Gateway Model Providers, AI Gateway Models, AI
Gateway Identity Providers, AI Gateway MCP Servers, AI Gateway Agents, AI
Gateway Consumers, AI Gateway Consumer Credentials, AI Gateway Consumer Groups,
AI Gateway Vaults, and AI Gateway Data Plane Certificates. Use
kongctl explain ai_gateway --output yaml,
kongctl explain ai_gateway_model_provider --output yaml,
kongctl explain ai_gateway_identity_provider --output yaml,
kongctl explain ai_gateway.agents --output yaml,
kongctl explain ai_gateway.consumers --output yaml,
kongctl explain ai_gateway.consumers.credentials --output yaml,
kongctl explain ai_gateway.consumer_groups --output yaml,
kongctl explain ai_gateway.models --output yaml,
kongctl explain ai_gateway.mcp_servers --output yaml,
kongctl explain ai_gateway.vaults --output yaml, and
kongctl explain ai_gateway.data_plane_certificates --output yaml as the
authoritative schemas.
The ref value is a local declarative identifier used by kongctl for
references and planning. Use name as the stable Konnect API name for the AI
Gateway. If name is omitted, kongctl defaults it from ref. Use
display_name for the human-readable name shown in Konnect. AI Gateway Model
Providers, Identity Providers, Policies, Agents, Consumers, Consumer
Credentials, Consumer Groups, Models, MCP Servers, and Vaults use their own
required name field as the stable Konnect child name. AI Gateway Data Plane
Certificates use their
required title field as the stable Konnect child name. Child entries inherit
management scope from their parent resource and do not accept kongctl
metadata.
For AI Gateway Models, targets[].provider must match an AI Gateway
Model Provider name under the parent gateway. The model provider can already
exist or be declared in the same gateway configuration.
For AI Gateway Agents, Consumers, Consumer Groups, Models, and MCP Servers,
policies entries reference AI Gateway Policies under the same parent gateway.
Existing Konnect policy names or IDs can be supplied as strings. Declarative
references should use !ref <policy-ref> so the relationship is explicit and
same-plan policy creates are ordered and resolved.
For AI Gateway Identity Providers, Policies, Agents, Consumers, Consumer
Groups, MCP Servers, Vaults, and Data Plane Certificates, root-level
declarations must include ai_gateway, while nested declarations inherit the
parent gateway. AI Gateway
Consumer Credentials are children of AI Gateway Consumers; root-level
declarations must include ai_gateway_consumer, while nested declarations
inherit the parent consumer. Omit identity_providers, policies, agents,
consumers, credentials, consumer_groups, mcp_servers, vaults, or
data_plane_certificates to leave existing child resources unmanaged during
sync. Use identity_providers: [], policies: [], agents: [],
consumers: [], credentials: [], consumer_groups: [], mcp_servers: [],
vaults: [], or
data_plane_certificates: [] under a specific parent to sync-delete that child
type. Root-level ai_gateway_identity_providers: [],
ai_gateway_policies: [], ai_gateway_agents: [],
ai_gateway_consumers: [], ai_gateway_consumer_credentials: [],
ai_gateway_consumer_groups: [], ai_gateway_mcp_servers: [],
ai_gateway_vaults: [], and ai_gateway_data_plane_certificates: [] are
rejected because they do not identify a parent resource.
ai_gateways:
- ref: string
name: string
display_name: string required
description: string
proxy_urls: array[object]
- host: string required
port: integer required
protocol: string required
labels: object [string]string
key: value
kongctl:
namespace: string
protected: boolean
model_providers:
- ref: string
name: string required
type: string required
display_name: string required
config: object required
labels: object [string]string
key: value
managed_by: object [string]string
key: value
identity_providers:
- ref: string
name: string required
type: key-auth # or openid-connect
display_name: string required
config: object required
labels: object [string]string
key: value
managed_by: object [string]string
key: value
policies:
- ref: string
name: string required
type: string required
display_name: string required
enabled: boolean
global: boolean
config: object required
labels: object [string]string
key: value
managed_by: object [string]string
key: value
agents:
- ref: string
name: string required
type: a2a # or http
display_name: string required
enabled: boolean
config:
url: string required
route: object
max_request_body_size: integer
logging: object
policies:
- !ref policy-ref
acls: object
labels: object [string]string
key: value
managed_by: object [string]string
key: value
consumers:
- ref: string
name: string required
type: api-key # or oauth
display_name: string required
custom_id: string
policies:
- !ref policy-ref
labels: object [string]string
key: value
managed_by: object [string]string
key: value
credentials:
- ref: string
name: string required
type: api-key
display_name: string required
ttl: integer
labels: object [string]string
key: value
managed_by: object [string]string
key: value
consumer_groups:
- ref: string
name: string required
display_name: string required
policies:
- !ref policy-ref
labels: object [string]string
key: value
managed_by: object [string]string
key: value
models:
- ref: string
type: model # or api
name: string required
display_name: string required
enabled: boolean
config:
route: object required
model: object required
formats:
- type: string required
targets:
- name: string required
provider: string required # provider name in parent AI Gateway
config:
type: string required
policies:
- !ref policy-ref
capabilities: array[string]
labels: object [string]string
key: value
acls: object
managed_by: object
mcp_servers:
- ref: string
type: conversion-only # or conversion-listener, listener,
# passthrough-listener, upstream-server
name: string required
display_name: string required
enabled: boolean
config:
url: string required
tools:
- name: string required
description: string required
method: string required
path: string
policies:
- !ref policy-ref
labels: object [string]string
key: value
acls: object
managed_by: object
vaults:
- ref: string
type: env # or konnect, aws, gcp, azure, conjur, hcv
name: string required
description: string
config: object required
labels: object [string]string
key: value
managed_by: object [string]string
key: value
data_plane_certificates:
- ref: string
title: string required
description: string
cert: string required # prefer !file or !env for PEM data
AI Gateway Model Providers can also be declared as root resources. Root-level
model provider declarations must identify the parent AI Gateway with
ai_gateway. Basic authentication uses config.auth.headers, an array of
name and value objects. Header value fields and other provider credentials
are write-only in Konnect. They are sent during create or update but omitted
from read responses and skipped during diff calculation.
ai_gateway_model_providers:
- ref: string
ai_gateway: string required # AI Gateway ref
name: string required
type: string required
display_name: string required
config: object required
labels: object [string]string
key: value
managed_by: object [string]string
key: value
AI Gateway Identity Providers can also be declared as root resources.
Root-level identity provider declarations must identify the parent AI Gateway
with ai_gateway. OpenID Connect config.client_secret values are write-only
in Konnect and are skipped during diff calculation because the API does not
return the stored secret.
ai_gateway_identity_providers:
- ref: string
ai_gateway: string required # AI Gateway ref
name: string required
type: key-auth # or openid-connect
display_name: string required
config: object required
labels: object [string]string
key: value
managed_by: object [string]string
key: value
AI Gateway Policies can also be declared as root resources. Root-level policy
declarations must identify the parent AI Gateway with ai_gateway.
ai_gateway_policies:
- ref: string
ai_gateway: string required # AI Gateway ref
name: string required
type: string required
display_name: string required
enabled: boolean
global: boolean
config: object required
labels: object [string]string
key: value
managed_by: object [string]string
key: value
AI Gateway Agents can also be declared as root resources. Include ai_gateway
to point at the parent gateway ref.
ai_gateway_agents:
- ref: string
ai_gateway: string required # AI Gateway ref
name: string required
type: a2a # or http
display_name: string required
enabled: boolean
config:
url: string required
route: object
max_request_body_size: integer
logging: object
policies:
- !ref policy-ref
acls: object
labels: object [string]string
key: value
managed_by: object [string]string
key: value
AI Gateway Consumers can also be declared as root resources. Include
ai_gateway to point at the parent gateway ref.
ai_gateway_consumers:
- ref: string
ai_gateway: string required # AI Gateway ref
name: string required
type: api-key # or oauth
display_name: string required
custom_id: string
policies:
- !ref policy-ref
labels: object [string]string
key: value
managed_by: object [string]string
key: value
AI Gateway Consumer Credentials can also be declared as root resources. Include
ai_gateway_consumer to point at the parent consumer ref. Credential
api_key values are write-only in Konnect and are not part of declarative
diffs; omit api_key so Konnect generates the key value.
ai_gateway_consumer_credentials:
- ref: string
ai_gateway_consumer: string required # AI Gateway Consumer ref
name: string required
type: api-key
display_name: string required
ttl: integer
labels: object [string]string
key: value
managed_by: object [string]string
key: value
AI Gateway Consumer Groups can also be declared as root resources. Include
ai_gateway to point at the parent gateway ref.
ai_gateway_consumer_groups:
- ref: string
ai_gateway: string required # AI Gateway ref
name: string required
display_name: string required
policies:
- !ref policy-ref
labels: object [string]string
key: value
managed_by: object [string]string
key: value
AI Gateway Models can also be declared as root resources. Include
ai_gateway to point at the parent gateway ref.
ai_gateway_models:
- ref: string
ai_gateway: string required # AI Gateway ref
type: model # or api
name: string required
display_name: string required
enabled: boolean
config:
route: object required
model: object required
formats:
- type: string required
targets:
- name: string required
provider: string required # provider name in parent AI Gateway
config:
type: string required
policies:
- !ref policy-ref
capabilities: array[string]
labels: object [string]string
key: value
acls: object
managed_by: object
AI Gateway MCP Servers can also be declared as root resources. Include
ai_gateway to point at the parent gateway ref.
ai_gateway_mcp_servers:
- ref: string
ai_gateway: string required # AI Gateway ref
type: conversion-only # or conversion-listener, listener,
# passthrough-listener, upstream-server
name: string required
display_name: string required
enabled: boolean
config:
url: string required
tools:
- name: string required
description: string required
method: string required
path: string
policies:
- !ref policy-ref
labels: object [string]string
key: value
acls: object
managed_by: object
AI Gateway Vaults can also be declared as root resources. Include ai_gateway
to point at the parent gateway ref.
ai_gateway_vaults:
- ref: string
ai_gateway: string required # AI Gateway ref
type: env # or konnect, aws, gcp, azure, conjur, hcv
name: string required
description: string
config: object required
labels: object [string]string
key: value
managed_by: object [string]string
key: value
AI Gateway Data Plane Certificates can also be declared as root resources.
Include ai_gateway to point at the parent gateway ref. There is no update
endpoint for this resource; changing cert or description for the same
title replaces the certificate with a delete followed by a create.
ai_gateway_data_plane_certificates:
- ref: string
ai_gateway: string required # AI Gateway ref
title: string required
description: string
cert: string required # prefer !file or !env for PEM data
Event Gateways
This section is an overview of the Event Gateway resources supported by
kongctl. Use kongctl explain event_gateway --output yaml as the
authoritative schema for nested Event Gateway resources and fields, and use
kongctl scaffold event_gateway to generate starter YAML.
event_gateways:
- ref: string
name: string required (1-255 chars)
description: string (max 512 chars)
min_runtime_version: string (pattern: ^\d+\.\d+$)
labels: object [string]string
key: value
backend_clusters: # https://developer.konghq.com/api/konnect/event-gateway/v1/#/operations/create-event-gateway-backend-cluster
- ref: string
name: string required (1-255 chars)
description: string (max 512 chars)
authentication: object required
type: One of (anonymous | sasl_plain | sasl_scram) required
username: string # required for sasl_plain/sasl_scram
password: string # required for sasl_plain/sasl_scram
algorithm: One of (sha256 | sha512) # required for sasl_scram
insecure_allow_anonymous_virtual_cluster_auth: boolean
bootstrap_servers: array[string] required (address:port)
tls: object required
enabled: boolean required
insecure_skip_verify: boolean
ca_bundle: string
tls_versions: array[One of (tls12 | tls13)]
metadata_update_interval_seconds: integer (1-43200)
labels: object [string]string
key: value
virtual_clusters: # https://developer.konghq.com/api/konnect/event-gateway/v1/#/operations/create-event-gateway-virtual-cluster
- ref: string
name: string required (1-255 chars)
description: string (max 512 chars)
destination: object required
id: string (uuid) # oneOf; declarative: prefer !ref <backend-cluster-ref>
name: string # oneOf
authentication: array[object] required (min 1 item)
- type: One of (anonymous | sasl_plain | sasl_scram | oauth_bearer) required
mediation: string # required for sasl_plain/oauth_bearer
principals: array[object] # for sasl_plain terminate mode
algorithm: One of (sha256 | sha512) # for sasl_scram
claims_mapping: object # for oauth_bearer
jwks: object # for oauth_bearer
validate: object # for oauth_bearer
namespace:
mode: One of (hide_prefix | enforce_prefix) required
prefix: string required
additional:
topics: array[object]
consumer_groups: array[object]
acl_mode: One of (enforce_on_gateway | passthrough) required
dns_label: string required (1-63 chars, RFC1035 label)
labels: object [string]string
key: value
listeners: # https://developer.konghq.com/api/konnect/event-gateway/v1/#/operations/create-event-gateway-listener
- ref: string
name: string required (1-255 chars)
description: string (max 512 chars)
addresses: array[string] required (min 1 item)
ports: array[integer|string] required (min 1 item)
labels: object [string]string
key: value
policies: # https://developer.konghq.com/api/konnect/event-gateway/v1/#/operations/create-event-gateway-listener-policy
- ref: string
type: One of (tls_server | forward_to_virtual_cluster) required
name: string
description: string
enabled: boolean
labels: object [string]string
key: value
config: object required
certificates: # if type=tls_server
- certificate: string required
key: string required
versions: # if type=tls_server
min: One of (TLSv1.2 | TLSv1.3)
max: One of (TLSv1.2 | TLSv1.3)
allow_plaintext: boolean # if type=tls_server
type: One of (sni | port_mapping) # if type=forward_to_virtual_cluster
sni_suffix: string # if config.type=sni
advertised_port: integer # if config.type=sni
broker_host_format:
type: One of (per_cluster_suffix | shared_suffix) # if config.type=sni
destination:
id: string (uuid) # if config.type=port_mapping; oneOf; declarative: prefer !ref <virtual-cluster-ref>
name: string # if config.type=port_mapping; oneOf
advertised_host: string # if config.type=port_mapping
bootstrap_port: One of (none | at_start) # if config.type=port_mapping
min_broker_id: integer # if config.type=port_mapping
Additional nested Event Gateway resources include schema_registries,
static_keys, tls_trust_bundles, data_plane_certificates,
cluster_policies, produce_policies, and consume_policies.
Produce policies support modify_headers, schema_validation, encrypt, and
encrypt_fields. Consume policies support modify_headers,
schema_validation, decrypt, skip_record, and decrypt_fields.
Field-level encryption policy types require Event Gateway runtime 1.2 or
newer.
encrypt_fields policies must be children of a produce schema_validation
policy. decrypt_fields policies must be children of a consume
schema_validation policy. Use the API field name parent_policy_id with a
declarative !ref so the planner can order the schema validation parent before
the field-level policy and inject the resolved ID during apply.
produce_policies:
- ref: produce-schema-validation
name: produce-schema-validation
type: schema_validation
config:
type: json
- ref: produce-encrypt-fields
name: produce-encrypt-fields
type: encrypt_fields
parent_policy_id: !ref produce-schema-validation#id
config:
failure_mode: reject
encrypt_fields:
- paths: record.value.content.customer.ssn
encryption_key:
type: static
key:
id: !ref default-static-key#id
consume_policies:
- ref: consume-schema-validation
name: consume-schema-validation
type: schema_validation
config:
type: json
- ref: consume-decrypt-fields
name: consume-decrypt-fields
type: decrypt_fields
parent_policy_id: !ref consume-schema-validation#id
config:
failure_mode: error
key_sources:
- type: static
decrypt_fields:
paths: record.value.content.customer.ssn
Organization
organization:
teams:
# https://developer.konghq.com/api/konnect/identity/v3/#/operations/create-team
- ref: string
name: string required
description: string (max 250 chars)
labels: object [string]string
key: value
roles:
- ref: string
role_name: string
# Prefer: !ref <api-ref> when entity_type_name=APIs.
entity_id: string (uuid)
entity_type_name: string
entity_region: One of (us | eu | au | me | in | sg | *)
Organization team roles can also be declared as root resources.
organization_team_roles:
- ref: string
# Declarative organization team ref, not team name or UUID.
team: string required
role_name: string
# Prefer: !ref <api-ref> when entity_type_name=APIs.
entity_id: string (uuid)
entity_type_name: string
entity_region: One of (us | eu | au | me | in | sg | *)
Portals
portals:
- ref: string
name: string required (1-255 chars)
display_name: string (1-255 chars)
description: string (max 512 chars, nullable)
authentication_enabled: boolean (default: true)
rbac_enabled: boolean (default: false)
default_api_visibility: One of (public | private)
default_page_visibility: One of (public | private)
default_application_auth_strategy_id: string (uuid, nullable) # prefer: !ref <app-auth-strategy-ref>
auto_approve_developers: boolean (default: false)
auto_approve_applications: boolean (default: false)
labels: object [string]string
key: value
customization: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/replace-portal-customization
ref: string
theme:
name: string
mode: One of (light | dark | system)
colors:
primary: string (hex color, e.g. #0055A4)
layout: string
css: string (nullable)
menu:
main: array[PortalMenuItem]
footer_sections: array[PortalFooterMenuSection]
footer_bottom: array[PortalMenuItem]
spec_renderer:
try_it_ui: boolean
try_it_insomnia: boolean
infinite_scroll: boolean
show_schemas: boolean
hide_internal: boolean
hide_deprecated: boolean
allow_custom_server_urls: boolean
robots: string (nullable)
auth_settings: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/update-portal-authentication-settings
ref: string
# OIDC and SAML provider-specific fields are no longer supported here.
# Move provider config to identity_providers or portal_identity_providers.
basic_auth_enabled: boolean
konnect_mapping_enabled: boolean
idp_mapping_enabled: boolean
ip_allow_list: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/create-portal-ip-allow-list
ref: string
allowed_ips: array[string] required # IP addresses or CIDR blocks
integrations: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/upsert-portal-integrations
ref: string
google_tag_manager:
enabled: boolean required
type: tracking
config_data:
id: string required (pattern: ^GTM-[A-Za-z0-9]+$)
l: string (nullable)
preview: string (nullable)
cookies_win: boolean (nullable)
debug: boolean (nullable)
npa: boolean (nullable)
data_layer: string (nullable)
env_name: string (nullable)
auth_referrer_policy: string (nullable)
google_analytics_4:
enabled: boolean required
type: analytics
config_data:
id: string required (pattern: ^G-[A-Za-z0-9-]+$)
l: string (nullable)
identity_providers: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/create-portal-identity-provider
- ref: string
# Use this child for portal OIDC and SAML provider configuration.
# At the root of a config, use portal_identity_providers.
type: One of (oidc | saml) required
enabled: boolean
config: object required
issuer_url: string # OIDC
client_id: string # OIDC
client_secret: string # OIDC
scopes: array[string] # OIDC
claim_mappings: # OIDC
name: string
email: string
groups: string
idp_metadata_url: string # SAML
idp_metadata_xml: string # SAML
custom_domain: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/create-portal-custom-domain
ref: string
hostname: string required
enabled: boolean required
ssl: object required
domain_verification_method: One of (http | custom_certificate) required
custom_certificate: string # when domain_verification_method=custom_certificate
custom_private_key: string # when domain_verification_method=custom_certificate
skip_ca_check: boolean
pages: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/create-portal-page
- ref: string
slug: string required (max 512 chars)
content: string required (markdown) # prefer: !file ./docs/page.md
title: string (max 512 chars)
visibility: One of (public | private)
status: One of (published | unpublished)
description: string (max 160 chars)
parent_page_id: string (uuid, nullable) # prefer: !ref <page-ref>
children:
- ref: string
slug: string required (max 512 chars)
content: string required (markdown) # prefer: !file ./docs/page.md
title: string (max 512 chars)
visibility: One of (public | private)
status: One of (published | unpublished)
description: string (max 160 chars)
parent_page_id: string (uuid, nullable) # prefer: !ref <page-ref>
snippets: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/create-portal-snippet
- ref: string
name: string required (max 512 chars)
content: string required (markdown) # prefer: !file ./docs/snippet.md
title: string (max 512 chars)
visibility: One of (public | private)
status: One of (published | unpublished)
description: string (max 160 chars)
teams: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/create-portal-team
- ref: string
name: string required
description: string (max 250 chars)
roles: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/assign-role-to-portal-teams
- ref: string
role_name: string
entity_id: string (uuid)
entity_type_name: string
entity_region: One of (us | eu | au | me | in | sg | *)
email_config: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/create-portal-email-config
ref: string
domain_name: string (nullable)
from_name: string (nullable)
from_email: string (email, nullable)
reply_to_email: string (email, nullable)
audit_log_webhook: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/update-portal-audit-log-webhook
ref: string
enabled: boolean
audit_log_destination_id: string (uuid) # prefer: !ref
email_templates: # https://developer.konghq.com/api/konnect/portal-management/v3/#/operations/update-portal-custom-email-template
<template_name>:
ref: string
name: string
enabled: boolean
content:
subject: string (max 1024 chars, nullable)
title: string (max 1024 chars, nullable)
body: string (max 4096 chars, nullable)
button_label: string (max 128 chars, nullable)
assets:
logo: string # data URL image (png/jpeg/gif/ico/svg)
favicon: string # data URL image (png/jpeg/gif/ico/svg)
Portal identity providers and integrations can also be declared as root resources.
portal_identity_providers:
- ref: string
portal: string required # prefer: !ref <portal-ref>
type: One of (oidc | saml) required
enabled: boolean
config: object required
issuer_url: string # OIDC
client_id: string # OIDC
client_secret: string # OIDC
scopes: array[string] # OIDC
claim_mappings: # OIDC
name: string
email: string
groups: string
idp_metadata_url: string # SAML
idp_metadata_xml: string # SAML
portal_integrations:
- ref: string
portal: string required # prefer: !ref <portal-ref>
google_tag_manager:
enabled: boolean required
type: tracking
config_data:
id: string required (pattern: ^GTM-[A-Za-z0-9]+$)
l: string (nullable)
preview: string (nullable)
cookies_win: boolean (nullable)
debug: boolean (nullable)
npa: boolean (nullable)
data_layer: string (nullable)
env_name: string (nullable)
auth_referrer_policy: string (nullable)
google_analytics_4:
enabled: boolean required
type: analytics
config_data:
id: string required (pattern: ^G-[A-Za-z0-9-]+$)
l: string (nullable)
Portal IP allow lists can also be declared as root resources.
portal_ip_allow_lists:
- ref: string
portal: string required # prefer: !ref <portal-ref>
allowed_ips: array[string] required # IP addresses or CIDR blocks
In sync mode, omitted ip_allow_list configuration is ignored. Include the
ip_allow_list block when the portal IP allow list is owned by the config.
Portal audit-log webhooks can also be declared as root resources.
portal_audit_log_webhooks:
- ref: string
portal: string required # prefer: !ref <portal-ref>
enabled: boolean
audit_log_destination_id: string (uuid) # prefer: !ref
In sync mode, omitted audit_log_webhook configuration is ignored. Include the
audit_log_webhook block when the portal webhook is owned by the config.
portals:
- ref: docs-portal
name: Docs Portal
audit_log_webhook:
ref: docs-portal-audit-log-webhook
enabled: true
audit_log_destination_id: !ref foo
audit-logs:
destinations:
- ref: foo
_external:
selector:
matchFields:
name: foo