Plug-ins are only available for API operations on shared and dedicated instances in virtual private clouds (VPCs). You cannot use plug-ins for API operations on shared instances on the classic network.
Note The latest version of API Gateway that was released in 2019 provides plug-ins to support
existing features such as throttling, IP address-based access control, backend signature,
and JSON Web Token (JWT) authorization. Plug-ins of the JWT Authorization type function
the same as the OpenId Connect feature. In addition, plug-ins also support the following
new features: cross-origin resource sharing (CORS), caching, routing, parametric access
control, error mapping, and circuit breakers. API Gateway will provide more plug-ins
in the future.
1. Usage notes
- Only one plug-in of each type can be bound to an API operation.
- You can bind a plug-in only to an API operation that is in the same region as the plug-in. Each user can create a maximum of 1,000 plug-ins in each region.
- Plug-in configurations and configurations of API operations are managed separately. Configurations of a plug-in take effect only after you bind the plug-in to a published API operation.
- Before you bind a plug-in to an API operation, you must publish the API operation.
- A plug-in can be bound, unbound, and updated with immediate effect. You do not need to re-publish the relevant API operation. For an API operation that requires high security, we recommend that you publish the API operation to the test environment and test plug-ins on the API operation first.
- After an API operation is unpublished, the plug-in that is bound to the API operation is still bound. When the API operation is re-published, the plug-in still takes effect.
- If a plug-in is bound to a published API operation or an API operation that is unpublished but not deleted, you cannot delete the plug-in.
2. Plug-ins supported by API Gateway
API Gateway supports the following types of plug-ins. You can click each plug-in type to view information about the plug-in type.
- Throttling
- IP address-based access control
- Plug-ins of the Parametric Access Control type
- Backend signature
- JWT authentication
- CORS
- API Gateway Caches
- routing plug-in
- Plug-ins of the Error Mapping type
- Plug-ins of the Circuit Breaker type (only available for API operations on dedicated instances)
3. Quick start
- Log on to the API Gateway console. In the left-side navigation pane, choose Publish APIs > Plugin.

- On the Plugin list page, click Create Plugin. On the Create Plugin page, set the parameters as required and click Create.

- After you create the plug-in, the plug-in appears on the Plugin list page. Find the plug-in and click Bind API in the Operation column.

- The plug-in takes effect immediately after you bind it to an API operation.
4. API reference
You can use the following API operations to manage plug-ins in API Gateway:
- Create a plug-in: Create an Plugin
- Modify a plug-in: Modify an Plugin
- Delete a plug-in: Delete the Plugin
- Query plug-ins: Describe an Plugin
- Bind a plug-in to an API operation: Attach Plugin
- Unbind a plug-in from an API operation: Detach Plugin
- Query the API operations that are bound to a plug-in: API for binding under query Plug-ins
- Query the plug-ins that are bound to an API operation: Describe Plugins by API
5. Limits
- For each plug-in, you can configure a maximum of 16,380 bytes of metadata.
- Each user can create a maximum of 1,000 plug-ins in each region.