Skip to main content

YAML Configuration Schema

Golf Gateway supports YAML configuration for Distributed mode deployments, where server configurations are defined locally in a YAML file while organization policies and monitoring are managed through the Control Plane. This reference documents the complete YAML schema with all fields, types, and validation rules.

When to Use YAML Configuration

Use YAML configuration when you want to:
  • Version control your MCP server configurations alongside your infrastructure code
  • GitOps workflows where server definitions are managed through pull requests
  • Local server definitions while still benefiting from Control Plane’s centralized policy management and monitoring
YAML configuration works in Distributed mode only. The mode is auto-detected: when a control_plane section is present in the YAML, the gateway runs in Distributed mode. For fully managed deployments without local configuration files, use Centralized mode where all settings are managed through the Golf Control Plane.

Quick Start Example

Here’s a complete, annotated configuration showing the most common settings:
golf-gateway.yaml
# ============================================================
# Golf Gateway Configuration - Distributed Mode
# ============================================================
# Schema version (required, must be "1.0")
version: "1.0"

# -------------------- Control Plane Connection ---------------
# Required for distributed mode - get these values from Control Plane
# Mode is auto-detected: control_plane present = distributed mode
control_plane:
  url: https://control-plane.example.com
  api_key: ${GOLF_CP_API_KEY}
  gateway_id: 550e8400-e29b-41d4-a716-446655440000

# -------------------- Identity Providers --------------------
# Configure OAuth/OIDC providers for authentication
identity_providers:
  - name: auth0                              # Unique name (referenced by servers)
    type: auth0                              # auth0, microsoft-entra-id, descope
    issuer: https://myorg.auth0.com/
    jwks_uri: https://myorg.auth0.com/.well-known/jwks.json
    api_identifiers:
      - https://api.example.com              # Must match JWT audience
    # Management API credentials (optional, for group sync)
    client_id: ${AUTH0_MGMT_CLIENT_ID}       # Environment variable substitution
    client_secret: ${AUTH0_MGMT_CLIENT_SECRET}

# -------------------- MCP Servers ---------------------------
# Configure upstream MCP servers with RBAC
servers:
  - name: github-mcp                         # Unique server name
    url: http://github-mcp:3001              # Server URL
    description: "GitHub integration"
    server_type: third_party                 # third_party or inhouse
    enabled: true

    # RBAC: Control who can access this server
    rbac_enabled: true
    rbac_mode: allow                         # allow (whitelist) or deny (blacklist)
    allowed_groups:
      - engineering
      - devops

    # Link to identity provider for group resolution
    idp: auth0

    # Per-server PII scrubbing overrides (merged with gateway defaults)
    security:
      enabled: true
      sensitive_fields: [token, password]    # Additional fields to mask
      whitelist_fields: [cursor, tool_name]  # Fields to never scrub

  - name: internal-tools
    url: http://tools-mcp:3002
    server_type: inhouse                     # auto-maps to visibility: internal
    rbac_enabled: false                      # No RBAC for internal tools

# -------------------- Gateway Policy -------------------------
gateway_policy:
  scrubbing:
    enabled: true
    sensitive_fields: [password, api_key]
  server_rbac:
    rbac_enabled: true
    rbac_mode: allow
    allowed_groups: [gateway-users]

# -------------------- Security Engine -------------------------
security:
  llm:
    backend: v1                              # v1, v2, or remote
    confidence_threshold: 0.93
  replay_protection:
    enabled: true
  rate_limiting:
    enabled: true
    requests_per_minute: 100                 # Per-user limit
    window_seconds: 60

# -------------------- Audit Log Export ----------------------
exporters:
  elasticsearch:
    - name: primary
      enabled: true
      url: ${ELASTICSEARCH_URL}              # Self-hosted URL
      api_key: ${ELASTICSEARCH_API_KEY}
      index_prefix: golf-gateway             # Creates: golf-gateway-YYYY.MM.DD
Use ${VAR} for required environment variables or ${VAR:default} for optional ones with defaults.
Scroll down for detailed documentation of each section.

File Location

The gateway searches for configuration files in this order:
  1. GOLF_CONFIG_FILE environment variable (explicit path)
  2. /etc/golf-gateway/config.yaml
  3. /etc/golf-gateway/config.yml
  4. ./golf-gateway.yaml (current directory)
  5. ./golf-gateway.yml (current directory)
# Explicit path
export GOLF_CONFIG_FILE=/path/to/config.yaml

Environment Variable Interpolation

YAML configuration supports environment variable substitution:
SyntaxBehavior
${VAR}Required - fails if VAR is not set
${VAR:default}Optional - uses default if VAR is not set
# Required variable (fails if not set)
api_key: ${GOLF_API_KEY}

# Optional with default
timeout: ${GOLF_TIMEOUT:30}

# In nested structures
servers:
  - name: github-mcp
    url: ${MCP_SERVER_URL:http://localhost:3001}

Root Configuration

version: "1.0"                    # Required, only "1.0" supported

control_plane:                    # Presence activates distributed mode
  url: https://control-plane.example.com
  api_key: ${GOLF_CP_API_KEY}
  gateway_id: 550e8400-e29b-41d4-a716-446655440000

# Optional sections
identity_providers: []
servers: []
gateway_policy: {}
security: {}
oauth_server: {}
exporters: {}

Root Fields

FieldTypeRequiredDefaultDescription
versionstringYes-Schema version, must be "1.0"
control_planeobjectNo-Control Plane connection settings. Presence activates Distributed mode; absence means Standalone mode.
identity_providersarrayNo[]Identity provider configurations
serversarrayNo[]MCP server configurations
gateway_policyobjectNo{}Gateway-level policy defaults
securityobjectNo{}Security engine settings (LLM threat detection, replay protection, rate limiting)
oauth_serverobjectNo{}Gateway’s MCP OAuth authorization server configuration
exportersobjectNo{}Log export destinations
The deployment mode is auto-detected: if control_plane is present, the gateway runs in Distributed mode. If absent, it runs in Standalone mode. No explicit mode field is needed.

Identity Providers

Configure OAuth/OIDC identity providers for authentication. 
identity_providers:
  - name: auth0-primary
    type: auth0
    issuer: https://myorg.auth0.com/
    jwks_uri: https://myorg.auth0.com/.well-known/jwks.json
    api_identifiers:
      - https://api.example.com
    client_id: ${AUTH0_CLIENT_ID}
    client_secret: ${AUTH0_CLIENT_SECRET}

  - name: descope-corp
    type: descope
    project_id: ${DESCOPE_PROJECT_ID}
    management_key: ${DESCOPE_MANAGEMENT_KEY}
    # issuer and jwks_uri auto-generated for Descope

Identity Provider Fields

FieldTypeRequiredDescription
namestringYesUnique provider name (1-255 chars)
typeenumYesauth0, microsoft-entra-id, descope
issuerstringConditionalOIDC issuer URL (auto-generated for Descope)
jwks_uristringConditionalJWKS endpoint URL (auto-generated for Descope)
userinfo_endpointstringNoUserinfo endpoint URL
api_identifiersarrayNoAPI audience identifiers
timeoutintNoRequest timeout in seconds (default: 10, range: 1-60)
client_idstringNoManagement API client ID (for group sync)
client_secretstringNoManagement API client secret
tenant_idstringConditionalTenant ID. Required for Entra ID (Azure AD tenant). Optional for Descope (tenant-scoped operations).

Descope-Specific Fields

FieldTypeRequiredDescription
project_idstringYes (Descope)Descope Project ID
management_keystringNoDescope Management Key for group sync

Servers

Configure MCP upstream servers with RBAC and security settings. 
servers:
  - name: github-mcp
    url: http://github-mcp:3001
    description: "GitHub integration server"
    server_type: third_party
    enabled: true

    # RBAC
    rbac_enabled: true
    rbac_mode: allow
    allowed_groups:
      - engineering
      - devops

    # Capability RBAC
    capability_rbac_enabled: true
    capability_overrides:
      - capability: "tools/delete_repo"
        rbac_enabled: true
        rbac_mode: allow
        allowed_groups: [repo-admins]

    # Per-server PII scrubbing overrides (merged with gateway defaults)
    security:
      enabled: true
      sensitive_fields: [password, token]
      whitelist_fields: [cursor, tool_name]
      recognizers:
        - entity_type: EMAIL_ADDRESS
          enabled: true
          replacement: "[PII_EMAIL]"

    # Per-server threat whitelist
    threat_whitelist_patterns:
      - "GitHub API rate limit exceeded"

    # Identity provider reference
    idp: auth0-primary

Server Schema

servers
array
List of upstream MCP server configurations.

Gateway Policy

Gateway-level policy defaults that apply to all servers unless overridden. In distributed mode, these are merged with organization policies from the Control Plane. 
gateway_policy:
  scrubbing:
    enabled: true
    sensitive_fields:
      - password
      - api_key
    whitelist_fields:
      - connection_id
      - session_id
      - cursor
    custom_rules:
      - pattern: "sk-[a-zA-Z0-9]+"
        method: mask
    recognizers:
      - entity_type: EMAIL_ADDRESS
        enabled: true
      - entity_type: URL
        enabled: false        # Disable URL scrubbing

  server_rbac:
    rbac_enabled: true
    rbac_mode: allow
    allowed_groups: [gateway-users]
    denied_groups: []
    capability_rbac_enabled: false

  capability_rbac:
    read_only:
      default_groups: [all-users]
    destructive:
      default_groups: [power-users]
    unspecified:
      default_groups: [all-users]

  # Gateway-level threat whitelist patterns
  threat_whitelist_patterns:
    - "Rate limit exceeded for tenant [A-Za-z0-9_-]+"

Scrubbing Policy

The scrubbing configuration uses the same schema at both gateway and server levels. All fields are merged using union — if any layer adds a field or rule, it applies.
FieldTypeDefaultDescription
enabledboolfalseEnable PII scrubbing
sensitive_fieldsarray[]Field names to always mask as [MASKED]
whitelist_fieldsarray[]Field names that should never be scrubbed (protects operational data)
custom_rulesarray[]Custom regex-based scrubbing rules (see server security for schema)
recognizersarray[]Toggle and configure built-in PII recognizers
When recognizer configs are merged across layers (org → gateway → server), enabled: true wins over enabled: false (most-restrictive doctrine). Server-specific replacement text overrides gateway defaults.

Server RBAC Policy

FieldTypeDefaultDescription
rbac_enabledboolfalseDefault RBAC enabled for new servers
rbac_modeenumallowDefault RBAC mode
allowed_groupsarray[]Default allowed groups
denied_groupsarray[]Default denied groups
capability_rbac_enabledboolfalseDefault capability RBAC enabled

Capability RBAC Policy

FieldTypeDescription
read_only.default_groupsarrayDefault groups for read-only tools
destructive.default_groupsarrayDefault groups for destructive tools
unspecified.default_groupsarrayDefault groups for unclassified tools

Local Servers Policy

Controls the gateway-level blocking policy for locally-defined servers.
FieldTypeDefaultDescription
enabledboolfalseEnable local server blocking policy
modeenumallowBlocking mode: allow or deny
groupsarraynullGroups affected by this policy

Threat Whitelist Patterns

FieldTypeDefaultDescription
threat_whitelist_patternsarray[]Regex patterns for content that should bypass LLM threat detection at the gateway policy level

Security

The security section controls how the security subsystem operates: LLM backend, threat detection model, replay protection, and rate limiting. This is operational configuration, not policy — it does not participate in the org → gateway → server policy merge cascade. 
security:
  llm:
    backend: v1                              # v1, v2, or remote
    model_name: qualifire/prompt-injection-jailbreak-sentinel-v2
    confidence_threshold: 0.93
    whitelist_patterns:                      # Content that bypasses threat detection
      - "Unauthorized: Your organization \\(org_[A-Za-z0-9]+\\)"

    # Remote backend config (required when backend: remote)
    # remote:
    #   endpoint: https://my-model.eastus.inference.ml.azure.com/score
    #   api_key_env: GOLF_SECURITY_REMOTE_API_KEY

  replay_protection:
    enabled: true

  rate_limiting:
    enabled: true
    requests_per_minute: 100
    window_seconds: 60

LLM Threat Detection

FieldTypeDefaultDescription
backendstringv1LLM backend: v1, v2, or remote (HTTP endpoint)
whitelist_patternsarray[]Regex patterns for content that should bypass threat detection
remoteobject-Remote inference config (required when backend: remote)

Remote Inference Config

Required when security.llm.backend is remote.
FieldTypeDefaultDescription
endpointstringRequiredURL of the remote inference endpoint
api_key_envstringGOLF_SECURITY_REMOTE_API_KEYEnvironment variable name containing the API key
tenant_id_envstringGOLF_SECURITY_REMOTE_TENANT_IDEnv var for Azure AD tenant ID
client_id_envstringGOLF_SECURITY_REMOTE_CLIENT_IDEnv var for Azure AD client ID
client_secret_envstringGOLF_SECURITY_REMOTE_CLIENT_SECRETEnv var for Azure AD client secret
Protocol is auto-detected from the endpoint URL: azure_ml for *.inference.ml.azure.com URLs, generic otherwise. Set all three Azure AD fields to enable Azure AD authentication; otherwise key-based auth is used.

Replay Protection

FieldTypeDefaultDescription
enabledbooltrueEnable replay attack protection

Rate Limiting

FieldTypeDefaultRangeDescription
enabledbooltrue-Enable rate limiting
requests_per_minuteint10001-5000Requests per minute per user
window_secondsint6010-300Rate limit window
YAML configures the per-user limit only. System-wide (global) and per-server limits are managed through the Control Plane. See Configure Rate Limiting for the full model.

OAuth Server

Configure the gateway’s MCP OAuth authorization server for third-party server authentication flows. 
oauth_server:
  token_ttl: 3600
  refresh_token_ttl: 604800
  authorization_code_ttl: 60
  idp_client_id: ${GOLF_OAUTH_SERVER_IDP_CLIENT_ID}
  idp_client_secret: ${GOLF_OAUTH_SERVER_IDP_CLIENT_SECRET}
FieldTypeDefaultRangeDescription
issuerstringgateway URL-OAuth issuer URL
token_ttlint3600300-86400Access token TTL in seconds
refresh_token_ttlint6048003600-2592000Refresh token TTL in seconds
authorization_code_ttlint6030-600Authorization code TTL in seconds
idp_client_idstring--IdP client ID for the OAuth server
idp_client_secretstring--IdP client secret (supports ${ENV_VAR})

Exporters

Configure multiple export destinations for audit logs. You can configure multiple exporters of each type. 
exporters:
  elasticsearch:
    - name: primary-es
      enabled: true
      url: ${ELASTICSEARCH_URL}
      api_key: ${ELASTICSEARCH_API_KEY}
      index_prefix: golf-gateway
      timeout: 30

  otel:
    - name: primary-otel
      enabled: true
      endpoint: ${OTEL_ENDPOINT}
      protocol: grpc
      service_name: golf-gateway
      export_logs: true

  sentinel:
    - name: azure-sentinel
      enabled: true
      dcr_immutable_id: ${SENTINEL_DCR_ID}
      dcr_endpoint: ${SENTINEL_DCR_ENDPOINT}
      tenant_id: ${AZURE_TENANT_ID}
      client_id: ${AZURE_CLIENT_ID}
      client_secret: ${AZURE_CLIENT_SECRET}

Exporter Schema

exporters
object
Configure audit log export destinations.
For Elasticsearch, use either url (self-hosted) or cloud_id (Elastic Cloud), not both.

Control Plane Connection

Connects the gateway to the Control Plane for centralized policy management and monitoring. The presence of this section activates Distributed mode. 
control_plane:
  url: https://control-plane.example.com
  api_key: ${GOLF_CP_API_KEY}
  gateway_id: 550e8400-e29b-41d4-a716-446655440000
  timeout: 30
  cache_ttl: 300
FieldTypeRequiredDefaultDescription
urlstringYeshttps://api.golf.devControl Plane URL
api_keystringYes-API key for authentication (supports ${ENV_VAR})
gateway_idUUIDYes-Gateway UUID
timeoutintNo30Request timeout (5-120 seconds)
cache_ttlintNo300Policy cache TTL in seconds (60-3600)

Complete Example

A complete Distributed mode configuration with Control Plane connection, identity providers, servers, security, and exporters: 
version: "1.0"

# Control Plane connection (activates distributed mode)
control_plane:
  url: https://control-plane.example.com
  api_key: ${GOLF_CP_API_KEY}
  gateway_id: 550e8400-e29b-41d4-a716-446655440000

# Identity providers for authentication
identity_providers:
  - name: auth0
    type: auth0
    issuer: https://myorg.auth0.com/
    jwks_uri: https://myorg.auth0.com/.well-known/jwks.json
    api_identifiers:
      - https://api.example.com
    client_id: ${AUTH0_MGMT_CLIENT_ID}
    client_secret: ${AUTH0_MGMT_CLIENT_SECRET}

# MCP servers (YAML is source of truth for servers in distributed mode)
servers:
  - name: github-mcp
    url: http://github-mcp:3001
    server_type: third_party
    rbac_enabled: true
    allowed_groups: [engineering]
    idp: auth0
    security:
      enabled: true
      sensitive_fields: [token]
    threat_whitelist_patterns:
      - "GitHub API rate limit exceeded"

  - name: internal-tools
    url: http://tools-mcp:3002
    server_type: inhouse
    rbac_enabled: false

# OAuth authorization server for third-party server auth flows
oauth_server:
  idp_client_id: ${GOLF_OAUTH_SERVER_IDP_CLIENT_ID}
  idp_client_secret: ${GOLF_OAUTH_SERVER_IDP_CLIENT_SECRET}

# Local policy (merged with org policy from Control Plane)
gateway_policy:
  scrubbing:
    enabled: true
    sensitive_fields: [ssn, account_number]
    whitelist_fields: [connection_id, session_id]
  server_rbac:
    rbac_enabled: true
    allowed_groups: [gateway-users]

# Security engine settings
security:
  llm:
    backend: v1
    confidence_threshold: 0.93
  replay_protection:
    enabled: true
  rate_limiting:
    enabled: true
    requests_per_minute: 100

# Audit log exporters
exporters:
  elasticsearch:
    - name: primary
      url: ${ELASTICSEARCH_URL}
      api_key: ${ELASTICSEARCH_API_KEY}

Validation Rules

Version

  • Must be exactly "1.0"
  • Required field

Identity Providers

  • Names must be unique across all providers
  • For non-Descope providers: issuer and jwks_uri are required
  • For Descope: project_id is required; issuer and jwks_uri are auto-generated
  • For Entra ID: tenant_id is required

Servers

  • Names must be unique across all servers
  • idp references must match an existing identity provider name
  • url must be a valid URL
  • When gateway and server both enable RBAC, their rbac_mode must be consistent (cannot mix allow and deny across policy levels)

Exporters

  • Names must be unique within each exporter type
  • Elasticsearch: use url OR cloud_id, not both
  • OTEL: endpoint required when enabled
  • Sentinel: all DCR and auth fields required when enabled

Security

  • When security.llm.backend is remote, the security.llm.remote block is required

Control Plane

  • When present, url, api_key, and gateway_id are required
  • organization_id is optional — resolved from Control Plane during activation if not set
  • Mode is auto-detected: control_plane present = Distributed mode

Configuration Validation CLI

Validate configuration files before deployment: 
# The gateway validates config on startup
GOLF_CONFIG_FILE=/path/to/config.yaml python -m golf_gateway.main --validate

# Check for undefined environment variables
GOLF_CONFIG_FILE=/path/to/config.yaml python -c "
from golf_gateway.config.yaml_loader import validate_yaml_config
errors = validate_yaml_config('/path/to/config.yaml')
for error in errors:
    print(error)
"

Environment Variables

Configure Golf Gateway using environment variables

Audit Log Schema

Complete audit log entry structure reference

RBAC Configuration

Set up role-based access control

Deployment Guide

Deploy Golf Gateway to production