Skip to main content
A policy attaches behavior to a gateway’s traffic. Each policy is a single built-in capability — identified by its slug (e.g. ratelimit, semanticcache, cors) — configured with settings and run at one or more lifecycle stages, with a mode, priority, and a scope (global or per consumer).

Built-in policies

Policy (slug)Purpose
ratelimitPer-consumer / per-gateway request rate limiting.
tokenratelimitToken-based limiting for LLM cost control.
requestsizeReject requests above a size / character budget.
semanticcacheEmbedding-based response caching for repeated prompts.
corsCross-origin resource sharing for browser clients.
Security policies. Jailbreak, PII, toxicity, and tool-abuse detection are not built into the gateway — they’re provided by TrustGuard, attached as a gateway policy. See the TrustGate integration.

Stages

A policy fires in one or more lifecycle stages:
StageWhen
pre_requestBefore the request is forwarded upstream.
post_requestAfter the request is built, before sending.
pre_responseAfter the upstream responds, before returning.
post_responseAfter the response is returned (e.g. cache populate).
Some policies run across two stages — the semantic cache looks up at pre_request and populates at post_response.

Mode

A policy’s mode sets its enforcement intent:
ModeBehavior
enforceReject the request on violation (default).
throttleSlow down but pass.
observeLog only — no enforcement.

Ordering and scope

FieldMeaning
slugThe built-in capability this policy configures.
settingsThe policy’s configuration (limits, thresholds, origins…).
priorityLower runs earlier.
parallelRun alongside other policies at the same stage concurrently.
globalApply to all consumers in the gateway.
enabledToggle without deleting.
Global policies are the gateway-wide baseline (e.g. a default request-size guard); consumer-scoped policies tune behavior per tenant. The proxy resolves both sets and runs them in priority order. Policies that partition by a key (the rate limiters) also accept a group_by_header to sub-partition within scope.

Managing policies

CRUD lives under /v1/gateways/{gateway_id}/policies, plus:
  • …/{id}/global (POST/DELETE) — promote/demote to global.
  • …/{id}/duplicate (POST) — clone a policy.
  • Attach to a consumer via …/consumers/{id}/policies/{policy_id}.
See the Policies API.