Modern API architectures are no longer linear. A single request can traverse multiple layers of authentication, transformation, enrichment, and observability. As these flows grow more dynamic, the need for fine-grained control over when plugins execute becomes critical.
For years, the standard approach to API Gateway configuration followed a strict hierarchical model: you applied a plugin to a Service, a Route, or a Consumer. If you needed a plugin to behave differently based on a specific header or a dynamic path segment, you often had to split your configuration into multiple routes or resort to custom Lua scripts.
The introduction of [conditional plugin execution](https://developer.konghq.com/gateway/plugins/expressions/)conditional plugin execution in [Kong Gateway 3.14](https://konghq.com/blog/product-releases/kong-gateway-3-14)Kong Gateway 3.14 marks a shift from static, entity-bound logic. This enhancement empowers platform engineers to define precise, fine-grained execution rules directly within the plugin configuration.
This is more than a convenience feature. It fundamentally changes how you design API traffic flows.
Imagine you have a single Service, *order-api*. You want to apply a strict rate limit to most traffic, but you want to bypass that limit—or apply a different one—if the request contains a specific *X-App-Priority: High* header.
Previously, you had two choices, neither of them ideal:
Kong Gateway 3.14 introduces a new condition field on plugins. This allows you to define when a plugin-based policy should execute, using Kong’s Advanced Traffic Control (ATC) expression language.
The logic is simple: If the condition evaluates to true, the plugin runs. If not, it is skipped.
You can now attach a plugin to a Service or Route but tell Kong: *"Only actually run this if these specific request criteria are met."*
This enables per-request decision-making without changing your routing topology.
Consider a common enterprise scenario:
Previously, this required multiple routes or complex routing logic.
With conditional plugin execution, this logic is now declarative:
_format_version: "3.0"
services:
- name: core
url: http://core-service:8080
routes:
- name: core_route
paths:
- /api
plugins:
- name: oidc
condition: "http.headers.ssl_client_cert == nil"
config:
# OIDC configuration details...**What’s happening here?**
`oidc` plugin is attached at the Service level, potentially covering dozens of routes.`condition` checks for the absence of the `ssl_client_cert` header.This creates a clean, declarative security policy without duplicating routes.
The `condition` field uses Kong’s Advanced Traffic Control (ATC) expression language.
For example:
http.headers.ssl_client_cert == nilThis gives you a powerful, composable way to define execution logic.
**Reduced configuration complexity — **By eliminating the need for "shadow routes" created solely for plugin variations, your kong.yaml or Admin API state remains clean and readable. This significantly reduces the cognitive load for DevOps teams auditing the system.
**Decoupling logic from infrastructure — **Conditional execution allows you to treat plugins as "policies" rather than "attachments." You can apply a global plugin to every route in your workspace but use conditions to ensure it only fires for specific protocols, methods, or query parameters.
**Better observability — **When using the *instance_name* field alongside conditions, your logs and metrics become much more descriptive. You can see exactly which conditional instance of a plugin was triggered, making debugging complex traffic patterns straightforward.
Conditional plugin execution shifts API infrastructure from rigid to dynamic and context-aware, supporting a modern, declarative control plane. It recognizes that in complex environments (like those with AI and event-driven architectures), request context is critical for unique processing.
This feature allows Kong Gateway real-time adaptability by evaluating request attributes to dynamically execute plugins. Instead of uniform application, security, traffic, or transformation logic is applied only when specific conditions are met (e.g., header presence, IP range, consumer group). This precision boosts efficiency, reduces latency, and offers granular API lifecycle control.
The introduction of conditional policy execution represents a shift toward a more "intent-based" networking model for API gateways. By using the power of ATC expressions, Kong Gateway allows engineers to build highly sophisticated, context-aware API policies without the baggage of configuration sprawl.
With conditional plugin execution in Kong Gateway 3.14, you can:
Most importantly, you gain precision control over your API flows without sacrificing simplicity.
This is a foundational capability for building AI-ready, policy-driven infrastructure, where decisions are made dynamically at the edge.
*To get started with conditional plugins, check out the *[*Kong Documentation*](https://developer.konghq.com/gateway/entities/plugin/#conditional-plugin-execution)*Kong Documentation** and the available *[*tutorial,*](https://developer.konghq.com/gateway/configure-conditional-plugin-execution/)*tutorial,** and explore the *[*conditional expressions for plugins*](https://developer.konghq.com/gateway/plugins/expressions/)*conditional expressions for plugins**.*
How OAuth 2.0 Token Exchange Reshapes Trust Between Services — and Why the API Gateway Is Exactly the Right Place to Enforce It Modern applications don’t run as a single monolithic. They are composed of services — frontend APIs, backend microservi
[](https://konghq.com/blog/engineering/token-exchange-at-the-gateway)
Having worked with many customers and prospects at Kong, one of the main requirements we often hear is how to handle dynamic routing based on the URL and headers. In this blog post, I will cover different use cases we come across for dynamic routing
[](https://konghq.com/blog/engineering/how-to-dynamically-route-requests-with-kong-enterprise)
How Kong Gateway 3.14 closes the consistency gap in IAM-based authentication across AWS, Azure and GCP — and what it means for your production deployments Starting with 3.13 (which addressed Redis support) and completed in 3.14, Kong now presents
[](https://konghq.com/blog/engineering/cloud-native-authentication)
Traditional APIs are, in a word, predictable. You know what you're getting: Compute costs that don't surprise you Traffic patterns that behave themselves Clean, well-defined request and response cycles AI APIs, especially anything that runs on LLMs
[](https://konghq.com/blog/engineering/monetize-ai-apis)
Running Kong in front of your Solace Broker adds real benefits: Authentication & Access Control – protect your broker from unauthorized publishers. Validation & Transformation – enforce schemas, sanitize data, and map REST calls into event topics.
[](https://konghq.com/blog/engineering/smarter-event-driven-apis-kong-solace)
Today we're excited to announce Kong Gateway 3.9! Since unveiling Kong Gateway 3.8 at API Summit 2024 just a few months ago, we’ve been busy making important updates and improvements to Kong Gateway. This release introduces new functionality arou
[](https://konghq.com/blog/product-releases/kong-gateway-3-9)
We're thrilled to announce the general availability of Kong Gateway 3.7 and Kong Gateway Enterprise 3.7. Along with enhancements and new features for both OSS and enterprise users, this version comes with the general availability of our edge AI Gate
[](https://konghq.com/blog/product-releases/kong-gateway-3-7)