Transform requests and responses at the gateway level. Extract JWT claims, mask PII, rename fields, inject headers — all configured per route with conditional execution.
Incoming Request
Request Pipeline (9 actions)
Headers, body, query params, JWT extraction
Proxy → Your Backend
Response Pipeline (7 actions)
PII masking, headers, field removal, security
Response to Client
Transform the request before it reaches your backend.
Extract JWT claims (sub, email, role) and inject as request headers for your backend.
JWT claim "sub" → X-User-Id headerAdd or override request headers before they reach your backend.
Add "X-Gateway: nolxy" to every requestStrip sensitive or unnecessary headers from requests.
Remove "X-Debug-Token" in productionRename JSON body fields for API version compatibility.
"customer_id_deprecated" → "customerId"Inject missing fields with default values.
Add "version": "v2" if not presentTrim whitespace from string fields in the request body.
" hello " → "hello"Lowercase string fields for consistent processing.
"John@Email.COM" → "john@email.com"Add or override URL query parameters.
Add "format=json" to all requestsStrip query parameters before forwarding.
Remove "debug=true" in productionTransform the response before it reaches the client.
Mask or remove PII fields from responses. Supports dot notation and wildcards.
"ssn": "123-45-6789" → "ssn": "***REDACTED***"Add or override response headers returned to the client.
Add "X-Request-Id" for tracingStrip internal headers from responses before they reach the client.
Remove "X-Powered-By" for securityRemove JSON fields from the response body.
Remove "internal_id" from API responsesFind and replace strings in the response body.
Replace internal URLs with public URLsInject security headers: CSP, HSTS, X-Frame-Options, and more.
Add OWASP-recommended security headersAppend a header to the response (does not override existing).
Add "Cache-Control: public, max-age=300"High-performance execution with compiled pipelines and conditional logic.
Pipelines are compiled once and cached in LRU (10K entries, 5min TTL). Subsequent executions skip parsing.
Actions can be filtered by HTTP method or path pattern. Only run transforms when they apply.
If an action fails, the pipeline continues. Errors are logged but never break the request flow.
Target nested fields with "user.address.city" or arrays with "items.*.price" syntax.
Your backend uses API keys in headers but your frontend uses JWT. Use jwtClaimToHeader to extract the user ID and inject it as a header — zero backend changes.
Your API returns SSNs, emails, and phone numbers. Use hideSensitiveData with wildcards to mask them at the gateway — no backend refactor.
Your v1 API uses customer_id but v2 uses customerId. Use renameField to support both without maintaining two codebases.
Pipelines are available on Pro plans and above. Configure per-route transformations in your dashboard or via Gateway as Code.