{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "#/components/schemas/Oauth2IntrospectionPluginConfig",
  "title": "Oauth2IntrospectionPluginConfig",
  "x-speakeasy-entity": "PluginOauth2Introspection",
  "properties": {
    "config": {
      "type": "object",
      "properties": {
        "anonymous": {
          "description": "An optional string (consumer UUID or username) value to use as an \u201canonymous\u201d consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.",
          "type": "string",
          "default": ""
        },
        "authorization_value": {
          "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).",
          "type": "string",
          "x-encrypted": true,
          "x-referenceable": true
        },
        "consumer_by": {
          "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.",
          "type": "string",
          "default": "username",
          "enum": [
            "client_id",
            "username"
          ]
        },
        "custom_claims_forward": {
          "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "default": []
        },
        "custom_introspection_headers": {
          "description": "A list of custom headers to be added in the introspection request.",
          "type": "object",
          "default": {},
          "additionalProperties": {
            "type": "string"
          }
        },
        "hide_credentials": {
          "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.",
          "type": "boolean",
          "default": true
        },
        "introspect_request": {
          "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.",
          "type": "boolean",
          "default": false
        },
        "introspection_url": {
          "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.",
          "type": "string"
        },
        "keepalive": {
          "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.",
          "type": "integer",
          "default": 60000
        },
        "run_on_preflight": {
          "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.",
          "type": "boolean",
          "default": true
        },
        "timeout": {
          "description": "An optional timeout in milliseconds when sending data to the upstream server.",
          "type": "integer",
          "default": 10000
        },
        "token_type_hint": {
          "description": "The `token_type_hint` value to associate to introspection requests.",
          "type": "string"
        },
        "ttl": {
          "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.",
          "type": "number",
          "default": 30
        }
      },
      "required": [
        "authorization_value",
        "introspection_url"
      ]
    },
    "name": {
      "const": "oauth2-introspection"
    },
    "protocols": {
      "description": "A set of strings representing HTTP protocols.",
      "type": "array",
      "items": {
        "enum": [
          "grpc",
          "grpcs",
          "http",
          "https"
        ],
        "type": "string"
      },
      "format": "set",
      "default": [
        "grpc",
        "grpcs",
        "http",
        "https"
      ]
    },
    "route": {
      "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.",
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "id": {
          "type": "string"
        }
      }
    },
    "service": {
      "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.",
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "id": {
          "type": "string"
        }
      }
    }
  },
  "required": [
    "config"
  ]
}