Home / Kong Plugin Hub
Edit
Report

Noma Runtime Protection

Third Party
Overview ExamplesConfiguration reference
Related Documentation
Gateway Documentation
Made by
Noma
Compatible Protocols
http https
Minimum Version
Kong Gateway - 3.12
Third Party: This plugin is developed, tested, and maintained by Noma.

Noma’s Kong AI Gateway plugin offers full AI detection & response (AI-DR) runtime protection to all OpenAI-compliant modules through your Kong AI Gateway. It allows you to leverage Noma’s AI-DR service to classify, flag, and block a wide range of security risks in real-time.

Integrating the Noma plugin into your AI Gateway allows you to:

  • Centralize security oversight: Automatically stream AI traffic data to the Noma Security Console for comprehensive audit trails and behavioral analysis.
  • Enforce policy in real time: Use Noma’s AI-DR to evaluate every interaction, enabling you to redact PCI, PII, mask sensitive data, and block non-compliant requests instantly (optional).

The Noma plugin provides a high-performance, low-footprint solution for AI security. By processing traffic after SSL termination, it enables Noma to inspect prompts and responses in real time and apply critical security guardrails across your AI workflows.

Install the Noma Runtime Protection plugin

The Noma Runtime Protection plugin is available as a LuaRocks module or as a set of Lua source files.

Prerequisites

Before enabling the plugin, you need to obtain assets from Noma.

Noma assets:

  • Obtain the Noma plugin .rock file or set of Lua files from your Noma Technical Account Manager.
  • Contact your Noma TAM for the client ID and client secret.

Installation steps

Konnect requires the custom plugin’s schema.lua file to create a plugin entry in the plugin catalog for your control plane. Upload the schema.lua file from the downloaded zip file to create a configurable entity in Konnect:

  1. In the Konnect menu, click API Gateway.
  2. Click a control plane.
  3. From the control plane’s menu, click Plugins.
  4. Click New Plugin.
  5. Click Custom Plugin.
  6. Upload the schema.lua file for your plugin.
  7. Check that your file displays correctly in the preview, then click Save.
  8. After uploading a schema to Konnect, upload the schema.lua and handler.lua files from the downloaded zip archive to each Kong Gateway data plane node. If a data plane node doesn’t have these files, the plugin won’t be able to run on that node.
  9. Follow the Dockerfile installation instructions on this page (switch tabs) to get your plugin set up on each node.

You can now configure this custom plugin like any other plugin in Konnect.

Next, set up AI Gateway and enable the plugin.

Enabling the plugin

After installing the plugin, you will need the following Kong Gateway entity configuration:

  1. Set up AI Gateway by creating a Service, a Route, and enabling the AI Proxy plugin.
  2. Create a Consumer and an auth key to identify the application/client calling the API.
  3. Group Consumers (Optional): If you want to set up shared runtime policies, group your Consumers into Consumer Groups.
  4. Enable the Noma Runtime Protection plugin.

Monitoring vs blocking mode

The plugin can run in one of the following modes, configured using the config.monitor_mode parameter:

  • monitor: AI-DR runs asynchronously. Monitors and logs requests, but doesn’t block them. Has no impact on request latency.
  • blocking: AI-DR runs synchronously. Requests/responses may be rejected based on the verdict.

Troubleshooting

If the Noma plugin isn’t behaving as expected, use the following sections to identify and resolve common issues.

Look for [noma-runtime-protection] prefixes to identify specific Lua errors or HTTP handshake failures.

Synchronization and “Plugin Not Found” errors

Symptoms: You see the Noma plugin in Konnect, but requests fail with a 500 Internal Server Error, or the data plane logs show plugin 'noma-runtime-protection' not found.

Possible solutions:

  • Hybrid sync check: Ensure the .rock file was installed on every data plane node. If you have a cluster of 5 nodes, all 5 must have the plugin code.

  • Environment variable check: If you are using Docker or Kubernetes, ensure KONG_PLUGINS environment variable includes noma-runtime-protection. For example:

      PLUGINS=bundled,noma-runtime-protection

  • Lua Path: Verify the plugin is in Kong Gateway’s search path by running:

      luarocks list | grep noma

Connectivity issues

Symptoms: Requests are delayed, or Noma’s console isn’t showing any new inferences.

Possible solutions:

  • Egress rules: Ensure your Kong Gateway nodes have outbound HTTPS access (port 443) to api.noma.security.
  • Credential validation: Double-check your client ID and client secret. If these are incorrect, the plugin will fail to authenticate with the Noma API.
  • Timeout settings: If you are using blocking mode (synchronous), ensure your proxy_timeout settings in kong.conf aren’t too aggressive, as the plugin must wait for a verdict from Noma.

Entity mapping (Noma application ID)

Symptoms: Traffic is appearing in the Noma Console, but it’s all grouped under a generic name.

Possible solutions:

  • Consumer identification: By default, Noma uses the Kong Gateway application ID. If you haven’t assigned a Consumer to the request (for example, you applied the plugin globally without auth), you’ll get a generic 'kong' application ID.

  • Explicit ID: If you want specific grouping, manually enter a unique string in the Application ID field within the Noma plugin configuration in Kong Gateway.

Policy is not blocking (monitor mode)

Symptoms: Malicious prompts are being flagged in the Noma Console but are not being blocked at the Gateway.

Possible solutions:

  • Mode check: Verify that config.monitor_mode is off (false).
    • Monitor mode ON: asynchronous (log only).
    • Monitor mode OFF: synchronous (enforce/block).
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support