Request validation (LLM Context validator)
The LLM Context validator plugin uses an LLM to validate incoming HTTP requests based on their full context. The LLM acts as a smart access control layer, deciding whether to allow or deny each request.
How it works
- The plugin serializes the entire request context (method, path, headers, query parameters, body, etc.) as JSON
- This context is sent to the configured LLM provider along with a system prompt
- The LLM analyzes the request and returns
"true"(allow) or"false"(deny) - If denied, the plugin returns HTTP 403 Forbidden
This enables context-aware access validation that goes beyond simple rules — the LLM can evaluate complex conditions, detect suspicious patterns, or enforce business logic.
Plugin configuration
{
"enabled": true,
"plugin": "cp:otoroshi_plugins.com.cloud.apim.otoroshi.extensions.aigateway.plugins.AiContextValidator",
"config": {
"ref": "provider-entity-id",
"prompt": "You are a security validator. Analyze the following HTTP request context and determine if it should be allowed. Return only 'true' or 'false'.",
"prompt_ref": null,
"context_ref": null,
"extractor": null
}
}
Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
ref | string | "" | LLM Provider entity ID |
prompt | string | "" | System prompt instructing the LLM how to validate the request |
prompt_ref | string | null | Reference to a stored prompt entity |
context_ref | string | null | Reference to a stored context entity for pre/post messages |
extractor | string | null | Regex pattern to extract the boolean result from the LLM response |
LLM response format
The LLM must return one of:
- The string
"true"or"false" - A JSON object:
{"result": true}or{"result": false}
Example: block requests with sensitive data
{
"ref": "provider_openai",
"prompt": "Analyze the following HTTP request context. Return 'false' if the request body contains any personally identifiable information (PII) like social security numbers, credit card numbers, or email addresses. Return 'true' otherwise."
}
Example: enforce business rules
{
"ref": "provider_openai",
"prompt": "You are an API gateway validator. The following is an HTTP request context in JSON format. Check if the request complies with our API usage policy: POST requests must have a Content-Type header, GET requests must not have a body. Return 'true' if compliant, 'false' otherwise."
}