Imagine you have a single Service, *order-api*. You want to apply a strict rate limit to most traffic, but you want to bypass that limit—or apply a different one—if the request contains a specific *X-App-Priority: High* header.

Previously, you had two choices, neither of them ideal:

1. - **Create two identical routes:** One matching the header and one not. This duplicates your routing logic and increases the surface area for configuration errors.
2. - **Custom Plugin:** Write a wrapper plugin that checks the header before executing the internal logic. This adds maintenance overhead and requires Lua expertise.

Kong Gateway 3.14 introduces a new condition field on plugins. This allows you to define when a plugin-based policy should execute, using Kong’s Advanced Traffic Control (ATC) expression language.

The logic is simple: If the condition evaluates to true, the plugin runs. If not, it is skipped.

You can now attach a plugin to a Service or Route but tell Kong: *"Only actually run this if these specific request criteria are met."*

This enables per-request decision-making without changing your routing topology.

Consider a common enterprise scenario:

• - Requests may arrive with a client certificate already validated upstream
• - **If** a certificate is present, you want to skip OIDC authentication
• - **Otherwise**, enforce OIDC

Previously, this required multiple routes or complex routing logic.

With conditional plugin execution, this logic is now declarative:

_format_version: "3.0"
services:
  - name: core
    url: http://core-service:8080
    routes:
      - name: core_route
        paths:
          - /api

    plugins:
      - name: oidc
        condition: "http.headers.ssl_client_cert == nil"
        config:
          # OIDC configuration details...

**What’s happening here?**

• - The `oidc` plugin is attached at the Service level, potentially covering dozens of routes.
• - The `condition` checks for the absence of the `ssl_client_cert` header.
• - If the header is missing, OIDC triggers. If present, the gateway bypasses the plugin entirely.

This creates a clean, declarative security policy without duplicating routes.

The `condition` field uses Kong’s Advanced Traffic Control (ATC) expression language.

For example:

http.headers.ssl_client_cert == nil

• - **Normalization:** Header names are normalized *(e.g., http.headers.ssl_client_cert)*, ensuring consistency regardless of client formatting.
• - **Performance:** ATC expressions are compiled into an efficient internal representation. They are evaluated in microseconds, ensuring that adding conditions doesn't introduce measurable latency.
• - **Context-Aware:** Expressions can reference almost any request attribute, including headers, methods, paths, shared context, and more.

This gives you a powerful, composable way to define execution logic.

**Reduced configuration complexity — **By eliminating the need for "shadow routes" created solely for plugin variations, your kong.yaml or Admin API state remains clean and readable. This significantly reduces the cognitive load for DevOps teams auditing the system.

**Decoupling logic from infrastructure — **Conditional execution allows you to treat plugins as "policies" rather than "attachments." You can apply a global plugin to every route in your workspace but use conditions to ensure it only fires for specific protocols, methods, or query parameters.

**Better observability — **When using the *instance_name* field alongside conditions, your logs and metrics become much more descriptive. You can see exactly which conditional instance of a plugin was triggered, making debugging complex traffic patterns straightforward.

Conditional plugin execution shifts API infrastructure from rigid to dynamic and context-aware, supporting a modern, declarative control plane. It recognizes that in complex environments (like those with AI and event-driven architectures), request context is critical for unique processing.

This feature allows Kong Gateway real-time adaptability by evaluating request attributes to dynamically execute plugins. Instead of uniform application, security, traffic, or transformation logic is applied only when specific conditions are met (e.g., header presence, IP range, consumer group). This precision boosts efficiency, reduces latency, and offers granular API lifecycle control.

The introduction of conditional policy execution represents a shift toward a more "intent-based" networking model for API gateways. By using the power of ATC expressions, Kong Gateway allows engineers to build highly sophisticated, context-aware API policies without the baggage of configuration sprawl.

With conditional plugin execution in Kong Gateway 3.14, you can:

• - Reduce configuration complexity
• - Improve performance
• - Centralize policy enforcement
• - Unlock advanced traffic patterns

Most importantly, you gain precision control over your API flows without sacrificing simplicity.

This is a foundational capability for building AI-ready, policy-driven infrastructure, where decisions are made dynamically at the edge.

*To get started with conditional plugins, check out the *[*Kong Documentation*](https://developer.konghq.com/gateway/entities/plugin/#conditional-plugin-execution)*Kong Documentation** and the available *[*tutorial,*](https://developer.konghq.com/gateway/configure-conditional-plugin-execution/)*tutorial,** and explore the *[*conditional expressions for plugins*](https://developer.konghq.com/gateway/plugins/expressions/)*conditional expressions for plugins**.*