[Engineering](/blog/engineering)Engineering

March 20, 2026

4 min read

Hugo Guerrero

Principal Tech PMM, Kong

Bringing APIs and events together has always been a challenge. REST APIs give developers a familiar interface, while event brokers like **Solace Broker** excel at fan-out, filtering, and scalable, reliable event delivery. The tricky part? Bridging these two worlds without building a lot of custom glue.

That’s exactly what the new **Kong plugin for Solace upstream mediation** does. It lets you expose Solace event streams through Kong Gateway, applying the same policies and developer experience you already use for REST APIs.

In this post, I’ll walk you through a demo that shows how Kong makes Solace better: not just a passthrough, but a smart, policy-driven **API front door for events**.

## Why Kong in front of Solace?

Running Kong in front of your Solace Broker adds real benefits:

- **Authentication & Access Control** – protect your broker from unauthorized publishers.
- **Validation & Transformation** – enforce schemas, sanitize data, and map REST calls into event topics.
- **Enrichment & Observability** – add correlation IDs, apply tracing, and log events without touching your apps.
- **Protection** – rate limits, request size caps, and termination policies stop bad clients from overwhelming Solace.
- **Consistency** – the same governance you use for REST APIs now applies to events.

## Demo flow: Order processing

Imagine an **order service** that accepts REST requests and publishes them as events.

**1. API Consumer** calls Kong with a standard POST request:

POST /solace/orders/new
{
  "orderId": "12345",
  "customerId": "567",
  "items": [
    {"sku": "ABC123", "qty": 2},
    {"sku": "XYZ789", "qty": 1}
  ],
  "total": 149.99
}

**2. Kong Gateway** applies authentication, validates the payload, adds a correlation ID, rate limits traffic, and transforms the request into a Solace event.

**3. Solace Broker** receives the newly transformed event on the topic orders/new.

**4. Subscribers** (like Inventory, Billing, and Analytics services) consume the event in real time. You can watch this live in the **Solace Manager “Try Me!”** UI.

Prerequisites

Before jumping into the steps, you’ll need a few things set up:

[Docker](https://docs.docker.com/get-docker/)Docker installed locally
[decK](https://docs.konghq.com/deck/latest/installation/)decK installed (Kong’s declarative configuration tool)
A [Solace Cloud](https://console.solace.cloud/)Solace Cloud instance (recommended) or a local Solace Broker running in Docker

Note: We’ll use the example repo [kong-api-gw-examples](https://github.com/hguerrero/kong-api-gw-examples)kong-api-gw-examples which includes a prebuilt configuration for Kong.

Step 1 – Clone the Repository

Grab the example setup from GitHub and navigate into the project directory:

git clone https://github.com/hguerrero/kong-api-gw-examples.git
cd kong-api-gw-examples/solace-http-mediation

Step 2 – Start Kong

If you’re running Solace locally, start everything with:

docker compose up -d

This will launch Kong Gateway and a local Solace broker.

👉 If you’re using Solace Cloud, you don’t need the broker container. Just bring up Kong:

docker compose up -d kong

Make sure you grab your Solace Cloud connection details (host, message VPN, username, password) from the Solace Cloud Console.

Step 3 – Configure Solace Cloud

Log into the Solace Cloud Console, create a Queue (e.g. kongDemoQueue), and subscribe it to a topic ( orders/new). You can follow the instructions [here](https://solace.com/blog/create-message-queue-in-solace/)here.

Step 4 – Configure Kong with decK

We’ll load Kong’s configuration using decK. The repository includes a kong.yaml file that defines a service pointing to your Solace broker, a /solace route, and the Solace upstream plugin.

Update the kong.yaml file with your Solace connection details. Here is what the configuration looks like:

_format_version: "3.0"

vaults:
  - name: konnect
    description: Secrets from Konnect
    prefix: kv
    config:
      config_store_id: <your_config_store_id>

services:
  - name: solace-cloud-service
    url: "http://{{SOLACE_HOST}}:{{SOLACE_PORT_HTTP}}"
    routes:
      - name: solace-incoming-orders-route
        paths:
          - ~/solace/(?<topic_id>[\w/-]+)
        methods:
          - POST
      - name: solace-outcoming-orders-route
        paths:
          - ~/solace/(?<topic_id>[\w-]+)
        methods:
          - GET

plugins:
  # Solace integration
  - name: solace-upstream
    route: solace-incoming-orders-route
    config:
      session:
        host: tcp://solace:55555
        vpn_name: demo
        authentication:
          scheme: BASIC
          username: "{vault://kv/solace-username}"
          password: "{vault://kv/solace-password}"
      message:
        destinations:
          - name: $(uri_captures['topic_id'])
            type: TOPIC
        delivery_mode: DIRECT
        forward_body: true
        functions:
          - return message.body
  - name: solace-consume
    route: solace-outcoming-orders-route
    config:
      mode: WEBSOCKET
      session:
        host: tcp://solace:55555
        vpn_name: demo
        authentication:
          scheme: BASIC
          username: "{vault://kv/solace-username}"
          password: "{vault://kv/solace-password}"
      flow:
        binds:
        - name: $(uri_captures['topic_id'])

  # Security
  - name: key-auth
    service: solace-cloud-service
    config:
      anonymous: anonymous
      hide_credentials: true
      key_names:
        - apikey
  - name: jwt
    service: solace-cloud-service
    config:
      anonymous: anonymous
      header_names:
        - authorization
      claims_to_verify:
        - exp
        - nbf
  - name: acl
    route: solace-incoming-orders-route
    config:
      allow:
        - solace
        - admin
      hide_groups_header: true
  - name: acl
    service: solace-cloud-service
    config:
      deny:
        - anonymous
      hide_groups_header: true

  # Validation
  - name: request-validator
    route: solace-incoming-orders-route
    config:
      version: draft4
      body_schema: |
        {
          "type":"object",
          "required":["orderId","customerId","items","total"],
          "properties":{
            "orderId":{"type":"string"},
            "customerId":{"type":"string"},
            "items":{"type":"array"},
            "total":{"type":"number"}
          }
        }

  # Transformation & Enrichment
  - name: request-transformer
    config:
      add:
        headers:
        - "x-topic: orders/new"
  - name: pre-function
    config:
      access: |
        return function()
          local cid = kong.request.get_header("x-correlation-id")
          if not cid then
            cid = tostring(ngx.now() * 1000000)
            kong.service.request.set_header("x-correlation-id", cid)
          end
        end

  # Protection
  - name: rate-limiting
    config:
      policy: local
      minute: 5
  - name: request-size-limiting
    config:
      allowed_payload_size: 8192
      size_unit: bytes

  # Global Observability
  - name: prometheus
    config: {}
  - name: opentelemetry
    config:
      service_name: "kong-solace-demo"

consumers:
  - username: anonymous
    acls:
      - group: anonymous
  - username: partner@example.com
    keyauth_credentials:
      - key: partner1234
  - username: internal@example.com
    acls:
      - group: solace
    keyauth_credentials:
      - key: internal1234
    jwt_secrets:
      - algorithm: HS256
        key: <your_key>
        secret: <your_secret>

# Global observability (Optional)
- name: prometheus
  config: {}
- name: opentelemetry
  config:
    service_name: "kong-solace-demo"

Then, apply the configuration to Kong:

deck sync --kong-addr http://localhost:8001

Kong is now ready to mediate between HTTP requests and Solace events!

Step 5 – Test the Flow

Now it's time to see it in action:

Publish an order: Send a REST request with a valid JWT/API key. Watch as Kong validates, enriches, and forwards the data to Solace.
Subscribe in Solace Manager:
1. Open the [Try Me](https://docs.solace.com/Cloud/ggs_tryme.htm)Try Me! Tab.
2. Connect a subscriber and subscribe to orders/new.
3. Watch the full JSON payload (with x-correlation-id) arrive in real time.
Play with the policies:
1. Send a malformed order (missing items) → Kong rejects it with 400.
2. Flood requests → Kong enforces rate limits (429).
3. Try without auth → Kong blocks unauthorized traffic.

This demonstrates Kong’s mediation: developers can interact with Solace topics through a standard API front door, while Solace subscribers consume events as usual.

## The benefits in action

By running this demo, you’ve watched Kong actively:

- **Authenticate & authorize** clients before they can publish.
- **Validate** event payloads, preventing garbage from entering Solace.
- **Transform & enrich** requests (topics, correlation IDs).
- **Protect** Solace with rate limiting and size restrictions.
- **Observe** traffic with Prometheus metrics and OpenTelemetry traces.

## What’s next?

This is just the beginning. You could easily extend this architecture by:

- Adding **PII sanitization** to strip sensitive data before events leave the gateway.
- Using **dynamic topic routing** (e.g., high-value orders to orders/high-value).
- Hooking in **custom logging** or a **dead-letter strategy** for failed publishes.

*👉 If you want to dive deeper into Kong plugins for event-driven architecture, check out the*[* main repo with more examples*](https://github.com/hguerrero/kong-api-gw-examples/tree/main/solace-http-mediation#solace-http-mediation)* main repo with more examples**.*

## Final thoughts

The line between APIs and events is disappearing. With Kong Gateway operating in front of Solace, you aren't just connecting two separate systems—you are governing, protecting, and enriching event flows with the exact same maturity you apply to your REST APIs.

That’s how you make **event-driven APIs enterprise-ready**.

**Topics**

- [API Gateway](/blog/tag/api-gateway)API Gateway- [Plugins](/blog/tag/plugins)Plugins- [Governance](/blog/tag/governance)Governance- [API Security](/blog/tag/api-security)API Security- [Microservices](/blog/tag/microservices)Microservices- [Event Gateway](/blog/tag/event-gateway)Event Gateway

Hugo Guerrero

Principal Tech PMM, Kong

# Practical Strategies to Monetize AI APIs in Production

[Engineering](/blog)EngineeringMarch 27, 2026

Traditional APIs are, in a word, predictable. You know what you're getting: Compute costs that don't surprise you Traffic patterns that behave themselves Clean, well-defined request and response cycles AI APIs, especially anything that runs on LLMs

Deepanshu Pandey

[](https://konghq.com/blog/engineering/monetize-ai-apis)

# Bringing Identity-Aware Security & Policy Enforcement to Event Streaming

[Product Releases](/blog)Product ReleasesMarch 25, 2026

The widespread adoption of Kafka and event streaming platforms is evident across several enterprises, where they serve as the backbone of critical operations, ranging from financial transactions to AI inference pipelines. However, in the domains of

Hugo Guerrero

[](https://konghq.com/blog/product-releases/kong-event-gateway-1-1)

# Exposing Kafka to the Internet: Solving External Access

[Enterprise](/blog)EnterpriseFebruary 20, 2026

Your Kafka Doesn't Have to Live Behind a Wall When teams resort to VPC peering or PrivateLink to expose Kafka, they're not solving the problem — they're managing it, one network topology decision at a time. Every new external consumer adds compl

Anthony Gatti

[](https://konghq.com/blog/enterprise/kafka-external-access)

# Configuring Kong Dedicated Cloud Gateways with Managed Redis in a Multi-Cloud Environment

[Engineering](/blog)EngineeringMarch 12, 2026

Architecture Overview A multicloud DCGW architecture typically contains three main layers. 1\. Konnect Control Plane The SaaS control plane manages configuration, plugins, and policies. All gateways connect securely to this layer. 2\. Dedicated C

Hugo Guerrero

[](https://konghq.com/blog/engineering/dedicated-cloud-gateways-managed-redis-multi-cloud)

# Kong Event Gateway: Unifying APIs and Events in a Single API Platform

[Product Releases](/blog)Product ReleasesMay 13, 2025

Kong customers include some of the most forward-thinking, tech-savvy organizations in the world. And while we’re proud to help them innovate through traditional APIs, the reality is that their ambitions don’t stop there. Increasingly, our customers a

Umair Waheed

[](https://konghq.com/blog/product-releases/kong-event-gateway)

# Evaluating API Testing Tools: Insomnia vs Postman

[Enterprise](/blog)EnterpriseMarch 26, 2026

Free collaboration with Postman — a myth On March 1st, 2026, Postman discontinued free collaboration for small teams. Now , Git or Cloud-native collaboration requires a Team plan starting at $19 per person per month. That means even a 3-person team

Haley Giuliano

[](https://konghq.com/blog/enterprise/insomnia-vs-postman-evaluating-api-testing-tools)

# AI Input vs. Output: Why Token Direction Matters for AI Cost Management

[Enterprise](/blog)EnterpriseMarch 10, 2026

The Shifting Economic Landscape: The AI token economy in 2026 is evolving, and enterprise leaders must distinguish between low-cost input tokens and high-premium output tokens to maintain profitability. Agentic AI Financial Risks: The transition t

Dan Temkin

[](https://konghq.com/blog/enterprise/ai-input-vs-output-cost-management)

# Connecting Kong and Solace: Building Smarter Event-Driven APIs

## Why Kong in front of Solace?

## Demo flow: Order processing

Prerequisites

Step 1 – Clone the Repository

Step 2 – Start Kong

Step 3 – Configure Solace Cloud

Step 4 – Configure Kong with decK

Step 5 – Test the Flow

## The benefits in action

## What’s next?

## Final thoughts

Recommended posts

# Practical Strategies to Monetize AI APIs in Production

# Bringing Identity-Aware Security & Policy Enforcement to Event Streaming

# Exposing Kafka to the Internet: Solving External Access

# Configuring Kong Dedicated Cloud Gateways with Managed Redis in a Multi-Cloud Environment

# Kong Event Gateway: Unifying APIs and Events in a Single API Platform

# Evaluating API Testing Tools: Insomnia vs Postman

# AI Input vs. Output: Why Token Direction Matters for AI Cost Management

## Ready to see Kong in action?

## step-0