_format_version: "3.0" consumers: - username: it0-system jwt_secrets: - key: it0-auth algorithm: HS256 secret: "${JWT_SECRET}" services: - name: auth-service url: http://auth-service:3001 routes: - name: auth-routes paths: - /api/v1/auth strip_path: false - name: admin-routes paths: - /api/v1/admin strip_path: false # Public DingTalk OAuth callback — no JWT (DingTalk redirects here after user taps Authorize) # Must be declared BEFORE agent-service so Kong matches this specific path first. - name: dingtalk-oauth-public url: http://agent-service:3002 routes: - name: dingtalk-oauth-callback paths: - /api/v1/agent/channels/dingtalk/oauth/callback strip_path: false - name: agent-service url: http://agent-service:3002 routes: - name: agent-routes paths: - /api/v1/agent strip_path: false - name: agent-ws paths: - /ws/agent strip_path: false protocols: - http - https - name: agent-config-service url: http://agent-service:3002 routes: - name: agent-config-routes paths: - /api/v1/agent-config strip_path: false - name: ops-service url: http://ops-service:3003 routes: - name: ops-routes paths: - /api/v1/ops strip_path: false - name: inventory-service url: http://inventory-service:3004 routes: - name: inventory-routes paths: - /api/v1/inventory strip_path: false - name: monitor-service url: http://monitor-service:3005 routes: - name: monitor-routes paths: - /api/v1/monitor strip_path: false - name: comm-service url: http://comm-service:3006 routes: - name: comm-routes paths: - /api/v1/comm strip_path: false - name: comm-ws paths: - /ws/comm strip_path: false protocols: - http - https - name: voice-service url: http://voice-service:3008 routes: - name: voice-ws paths: - /ws/voice strip_path: false protocols: - http - https - name: voice-api paths: - /api/v1/voice strip_path: false - name: twilio-webhook paths: - /api/v1/twilio strip_path: false - name: voice-test paths: - /api/v1/test strip_path: false - name: audit-service url: http://audit-service:3007 routes: - name: audit-routes paths: - /api/v1/audit strip_path: false - name: version-service url: http://version-service:3009 routes: - name: version-routes paths: - /api/v1/versions strip_path: false - name: app-version-check-route paths: - /api/app/version strip_path: false - name: app-version-download-route paths: - /downloads/versions strip_path: false - name: billing-service url: http://billing-service:3010 routes: - name: billing-routes paths: - /api/v1/billing strip_path: false - name: billing-webhooks paths: - /api/v1/billing/webhooks strip_path: false - name: presence-service url: http://presence-service:3011 routes: - name: presence-routes paths: - /api/v1/presence strip_path: false - name: analytics-routes paths: - /api/v1/analytics strip_path: false - name: referral-service url: http://referral-service:3012 routes: # User-facing: GET /api/v1/referral/me, /me/referrals, /me/rewards - name: referral-routes paths: - /api/v1/referral strip_path: false # Admin: /api/v1/referral/admin (JWT + role checked in service) - name: referral-admin-routes paths: - /api/v1/referral/admin strip_path: false # Public validate: /api/v1/referral/validate?code=... (no JWT) - name: referral-validate-public paths: - /api/v1/referral/validate strip_path: false - name: notification-service url: http://notification-service:3013 routes: # User-facing: GET /api/v1/notifications/me, /me/unread-count; POST /me/mark-read - name: notification-user-routes paths: - /api/v1/notifications/me strip_path: false # Admin: /api/v1/notifications/admin (JWT + platform_admin role enforced in service) - name: notification-admin-routes paths: - /api/v1/notifications/admin strip_path: false # Channels: admin CRUD + user preferences (JWT enforced) - name: notification-channel-routes paths: - /api/v1/notifications/channels strip_path: false # Campaigns: admin CRUD + scheduling + analytics - name: notification-campaign-routes paths: - /api/v1/notifications/campaigns strip_path: false # Segments: admin audience group management - name: notification-segment-routes paths: - /api/v1/notifications/segments strip_path: false plugins: # ===== Global plugins (apply to ALL routes) ===== - name: cors config: origins: - http://localhost:3000 - https://it0.szaiai.com - http://it0.szaiai.com - https://update.szaiai.com methods: - GET - POST - PUT - DELETE - PATCH - OPTIONS headers: - Authorization - Content-Type - X-Tenant-Id credentials: true - name: rate-limiting config: minute: 120 policy: redis redis_host: redis redis_port: 6379 - name: file-log config: path: /dev/stdout reopen: true # ===== JWT per-service (NOT on auth-service) ===== - name: jwt service: agent-service config: key_claim_name: kid claims_to_verify: - exp - name: jwt service: agent-config-service config: key_claim_name: kid claims_to_verify: - exp - name: jwt service: ops-service config: key_claim_name: kid claims_to_verify: - exp - name: jwt service: inventory-service config: key_claim_name: kid claims_to_verify: - exp - name: jwt service: monitor-service config: key_claim_name: kid claims_to_verify: - exp - name: jwt service: comm-service config: key_claim_name: kid claims_to_verify: - exp - name: jwt route: voice-api config: key_claim_name: kid claims_to_verify: - exp - name: jwt route: twilio-webhook config: key_claim_name: kid claims_to_verify: - exp - name: jwt service: audit-service config: key_claim_name: kid claims_to_verify: - exp - name: jwt route: billing-routes config: key_claim_name: kid claims_to_verify: - exp - name: jwt service: presence-service config: key_claim_name: kid claims_to_verify: - exp - name: jwt route: admin-routes config: key_claim_name: kid claims_to_verify: - exp # JWT for referral-service user routes (validate route is public — no JWT) - name: jwt route: referral-routes config: key_claim_name: kid claims_to_verify: - exp - name: jwt route: referral-admin-routes config: key_claim_name: kid claims_to_verify: - exp # JWT for notification-service (role enforcement done in service) - name: jwt route: notification-user-routes config: key_claim_name: kid claims_to_verify: - exp - name: jwt route: notification-admin-routes config: key_claim_name: kid claims_to_verify: - exp - name: jwt route: notification-channel-routes config: key_claim_name: kid claims_to_verify: - exp - name: jwt route: notification-campaign-routes config: key_claim_name: kid claims_to_verify: - exp - name: jwt route: notification-segment-routes config: key_claim_name: kid claims_to_verify: - exp # ===== Route-specific overrides ===== - name: rate-limiting route: agent-ws config: minute: 30 policy: redis redis_host: redis