Blog
|
Engineering
March 20, 2026
4 min read

Connecting Kong and Solace: Building Smarter Event-Driven APIs

Hugo Guerrero
Principal Tech PMM, Kong

Bringing APIs and events together has always been a challenge. REST APIs give developers a familiar interface, while event brokers like Solace Broker excel at fan-out, filtering, and scalable, reliable event delivery. The tricky part? Bridging these two worlds without building a lot of custom glue.

That’s exactly what the new Kong plugin for Solace upstream mediation does. It lets you expose Solace event streams through Kong Gateway, applying the same policies and developer experience you already use for REST APIs.

In this post, I’ll walk you through a demo that shows how Kong makes Solace better: not just a passthrough, but a smart, policy-driven API front door for events.

Why Kong in front of Solace?

Running Kong in front of your Solace Broker adds real benefits:

  • Authentication & Access Control – protect your broker from unauthorized publishers.
  • Validation & Transformation – enforce schemas, sanitize data, and map REST calls into event topics.
  • Enrichment & Observability – add correlation IDs, apply tracing, and log events without touching your apps.
  • Protection – rate limits, request size caps, and termination policies stop bad clients from overwhelming Solace.
  • Consistency – the same governance you use for REST APIs now applies to events.

Demo flow: Order processing

Imagine an order service that accepts REST requests and publishes them as events.

1. API Consumer calls Kong with a standard POST request:

POST /solace/orders/new
{
  "orderId": "12345",
  "customerId": "567",
  "items": [
    {"sku": "ABC123", "qty": 2},
    {"sku": "XYZ789", "qty": 1}
  ],
  "total": 149.99
}

2. Kong Gateway applies authentication, validates the payload, adds a correlation ID, rate limits traffic, and transforms the request into a Solace event.

3. Solace Broker receives the newly transformed event on the topic orders/new.

4. Subscribers (like Inventory, Billing, and Analytics services) consume the event in real time. You can watch this live in the Solace Manager “Try Me!” UI.

Prerequisites

Before jumping into the steps, you’ll need a few things set up:

  • Docker installed locally
  • decK installed (Kong’s declarative configuration tool)
  • A Solace Cloud instance (recommended) or a local Solace Broker running in Docker

Note: We’ll use the example repo kong-api-gw-examples which includes a prebuilt configuration for Kong.

Step 1 – Clone the Repository

Grab the example setup from GitHub and navigate into the project directory:

git clone https://github.com/hguerrero/kong-api-gw-examples.git
cd kong-api-gw-examples/solace-http-mediation

Step 2 – Start Kong

If you’re running Solace locally, start everything with:

docker compose up -d

This will launch Kong Gateway and a local Solace broker.

👉 If you’re using Solace Cloud, you don’t need the broker container. Just bring up Kong:

docker compose up -d kong

Make sure you grab your Solace Cloud connection details (host, message VPN, username, password) from the Solace Cloud Console.

Step 3 – Configure Solace Cloud

Log into the Solace Cloud Console, create a Queue (e.g. kongDemoQueue), and subscribe it to a topic ( orders/new). You can follow the instructions here.

Step 4 – Configure Kong with decK

We’ll load Kong’s configuration using decK. The repository includes a kong.yaml file that defines a service pointing to your Solace broker, a /solace route, and the Solace upstream plugin.

Update the kong.yaml file with your Solace connection details. Here is what the configuration looks like:

_format_version: "3.0"

vaults:
  - name: konnect
    description: Secrets from Konnect
    prefix: kv
    config:
      config_store_id: <your_config_store_id>

services:
  - name: solace-cloud-service
    url: "http://{{SOLACE_HOST}}:{{SOLACE_PORT_HTTP}}"
    routes:
      - name: solace-incoming-orders-route
        paths:
          - ~/solace/(?<topic_id>[\w/-]+)
        methods:
          - POST
      - name: solace-outcoming-orders-route
        paths:
          - ~/solace/(?<topic_id>[\w-]+)
        methods:
          - GET

plugins:
  # Solace integration
  - name: solace-upstream
    route: solace-incoming-orders-route
    config:
      session:
        host: tcp://solace:55555
        vpn_name: demo
        authentication:
          scheme: BASIC
          username: "{vault://kv/solace-username}"
          password: "{vault://kv/solace-password}"
      message:
        destinations:
          - name: $(uri_captures['topic_id'])
            type: TOPIC
        delivery_mode: DIRECT
        forward_body: true
        functions:
          - return message.body
  - name: solace-consume
    route: solace-outcoming-orders-route
    config:
      mode: WEBSOCKET
      session:
        host: tcp://solace:55555
        vpn_name: demo
        authentication:
          scheme: BASIC
          username: "{vault://kv/solace-username}"
          password: "{vault://kv/solace-password}"
      flow:
        binds:
        - name: $(uri_captures['topic_id'])

  # Security
  - name: key-auth
    service: solace-cloud-service
    config:
      anonymous: anonymous
      hide_credentials: true
      key_names:
        - apikey
  - name: jwt
    service: solace-cloud-service
    config:
      anonymous: anonymous
      header_names:
        - authorization
      claims_to_verify:
        - exp
        - nbf
  - name: acl
    route: solace-incoming-orders-route
    config:
      allow:
        - solace
        - admin
      hide_groups_header: true
  - name: acl
    service: solace-cloud-service
    config:
      deny:
        - anonymous
      hide_groups_header: true

  # Validation
  - name: request-validator
    route: solace-incoming-orders-route
    config:
      version: draft4
      body_schema: |
        {
          "type":"object",
          "required":["orderId","customerId","items","total"],
          "properties":{
            "orderId":{"type":"string"},
            "customerId":{"type":"string"},
            "items":{"type":"array"},
            "total":{"type":"number"}
          }
        }

  # Transformation & Enrichment
  - name: request-transformer
    config:
      add:
        headers:
        - "x-topic: orders/new"
  - name: pre-function
    config:
      access: |
        return function()
          local cid = kong.request.get_header("x-correlation-id")
          if not cid then
            cid = tostring(ngx.now() * 1000000)
            kong.service.request.set_header("x-correlation-id", cid)
          end
        end

  # Protection
  - name: rate-limiting
    config:
      policy: local
      minute: 5
  - name: request-size-limiting
    config:
      allowed_payload_size: 8192
      size_unit: bytes

  # Global Observability
  - name: prometheus
    config: {}
  - name: opentelemetry
    config:
      service_name: "kong-solace-demo"

consumers:
  - username: anonymous
    acls:
      - group: anonymous
  - username: partner@example.com
    keyauth_credentials:
      - key: partner1234
  - username: internal@example.com
    acls:
      - group: solace
    keyauth_credentials:
      - key: internal1234
    jwt_secrets:
      - algorithm: HS256
        key: <your_key>
        secret: <your_secret>

# Global observability (Optional)
- name: prometheus
  config: {}
- name: opentelemetry
  config:
    service_name: "kong-solace-demo"

Then, apply the configuration to Kong:

deck sync --kong-addr http://localhost:8001

Kong is now ready to mediate between HTTP requests and Solace events!

Step 5 – Test the Flow

Now it's time to see it in action:

  1. Publish an order: Send a REST request with a valid JWT/API key. Watch as Kong validates, enriches, and forwards the data to Solace.
  2. Subscribe in Solace Manager:
    1. Open the Try Me! Tab.
    2. Connect a subscriber and subscribe to orders/new.
    3. Watch the full JSON payload (with x-correlation-id) arrive in real time.
  3. Play with the policies:
    1. Send a malformed order (missing items) → Kong rejects it with 400.
    2. Flood requests → Kong enforces rate limits (429).
    3. Try without auth → Kong blocks unauthorized traffic.

This demonstrates Kong’s mediation: developers can interact with Solace topics through a standard API front door, while Solace subscribers consume events as usual.

The benefits in action

By running this demo, you’ve watched Kong actively:

  • Authenticate & authorize clients before they can publish.
  • Validate event payloads, preventing garbage from entering Solace.
  • Transform & enrich requests (topics, correlation IDs).
  • Protect Solace with rate limiting and size restrictions.
  • Observe traffic with Prometheus metrics and OpenTelemetry traces.

What’s next?

This is just the beginning. You could easily extend this architecture by:

  • Adding PII sanitization to strip sensitive data before events leave the gateway.
  • Using dynamic topic routing (e.g., high-value orders to orders/high-value).
  • Hooking in custom logging or a dead-letter strategy for failed publishes.

👉 If you want to dive deeper into Kong plugins for event-driven architecture, check out the main repo with more examples.

Final thoughts

The line between APIs and events is disappearing. With Kong Gateway operating in front of Solace, you aren't just connecting two separate systems—you are governing, protecting, and enriching event flows with the exact same maturity you apply to your REST APIs.

That’s how you make event-driven APIs enterprise-ready.

Hugo Guerrero
Principal Tech PMM, Kong

Recommended posts

Configuring Kong Dedicated Cloud Gateways with Managed Redis in a Multi-Cloud Environment

Engineering

Architecture Overview A multicloud DCGW architecture typically contains three main layers. 1\. Konnect Control Plane The SaaS control plane manages configuration, plugins, and policies. All gateways connect securely to this layer. 2\. Dedicated C

Hugo Guerrero

AI Input vs. Output: Why Token Direction Matters for AI Cost Management

Enterprise

The Shifting Economic Landscape: The AI token economy in 2026 is evolving, and enterprise leaders must distinguish between low-cost input tokens and high-premium output tokens to maintain profitability. Agentic AI Financial Risks: The transition t

Dan Temkin

Exposing Kafka to the Internet: Solving External Access

Enterprise

Your Kafka Doesn't Have to Live Behind a Wall When teams resort to VPC peering or PrivateLink to expose Kafka, they're not solving the problem — they're managing it, one network topology decision at a time. Every new external consumer adds compl

Anthony Gatti

From APIs to Agentic Integration: Introducing Kong Context Mesh

Product Releases

Agents are ultimately decision makers. They make those decisions by combining intelligence with context, ultimately meaning they are only ever as useful as the context they can access. An agent that can't check inventory levels, look up customer his

Alex Drag

The Enterprise API Strategy Cookbook: 8 Ingredients for Legacy Modernization

Enterprise

This is the pitch to the board and the C-suite. It must be brutally concise, focused entirely on your business outcomes, not the technology. If the first page doesn't articulate value, the strategy dies. Why? It immediately frames the initiative in

Steve Roberts

10 Ways Microservices Create New Security Challenges

Engineering

Why are Microservices Security Risks? Traditional security was simple. One perimeter. Few entry points. Clear boundaries. Microservices shattered this model. Now organizations manage hundreds of independent services. The average number of API calls

Mike Bilodeau

5 Best Practices for Securing Microservices at Scale in 2025

Engineering

The Challenge: Securing Distributed Systems Netflix operates over 1,000 microservices handling two billion daily requests (Microservices architecture: from Netflix to APIs). One security gap can trigger cascading breaches. Traditional perimeter sec

Kong

Ready to see Kong in action?

Get a personalized walkthrough of Kong's platform tailored to your architecture, use cases, and scale requirements.

Get a Demo