Kong · lena-larionova · Jun 18, 2026 · Jun 17, 2026 · Jun 18, 2026 · Jun 18, 2026
@@ -0,0 +1,21 @@
+The {{include.name}} plugin supports the following authentication options for Confluent Cloud connections:
+{% table %}
+columns:
+  - title: "Auth method"
+    key: method
+  - title: Description
+    key: description
+  - title: Example
+    key: example
+rows:
+  - method: "API key (`cluster_api_key` / `cluster_api_secret`)"
+    description: "Authenticates using a Confluent Cloud API key and secret via SASL/PLAIN."
+    example: "--"
+  - method: |
+      SASL/OAUTHBEARER (`oauthbearer`) {% new_in 3.15 %}
+    description: |
+      Authenticates using short-lived OAuth 2.0 access tokens fetched automatically by {{site.base_gateway}}.
+      <br><br>
+      {{site.base_gateway}} uses the `client_credentials` grant to retrieve tokens from the configured `oauthbearer.token_endpoint_url`, caches them until expiry, and presents them in the SASL/OAUTHBEARER handshake. When `oauthbearer` is set, it takes precedence over `cluster_api_key`/`cluster_api_secret`.
+    example: "[SASL/OAUTHBEARER authentication](./examples/oauthbearer/)"
+{% endtable %}
@@ -0,0 +1,41 @@
+The {{include.name}} plugin supports the following SASL authentication mechanisms for broker connections via [`authentication.mechanism`](./reference/#schema--config-authentication-mechanism):
+{% table %}
+columns:
+  - title: "Mechanism"
+    key: mechanism
+  - title: Description
+    key: description
+  - title: Example
+    key: example
+rows:
+  - mechanism: "`PLAIN`"
+    description: |
+      Authenticates using a username and password.
+      <br><br>
+      Set `authentication.strategy` to `sasl` and provide `authentication.user` and `authentication.password`.
+    example: |
+      {% if include.slug == "kafka-consume" %}--{% else %}[Plain authentication](./examples/plain-auth/){% endif %}
+  - mechanism: "`SCRAM-SHA-256`"
+    description: |
+      Authenticates using a username and password with SCRAM-SHA-256 hashing.
+      <br><br>
+      Set `authentication.strategy` to `sasl` and provide `authentication.user` and `authentication.password`.
+    example: |
+      {% if include.slug == "kafka-consume" %}--{% else %}[SCRAM-SHA-256 authentication](./examples/scram-sha-256/){% endif %}
+  - mechanism: "`SCRAM-SHA-512`"
+    description: |
+      Authenticates using a username and password with SCRAM-SHA-512 hashing.
+      <br><br>
+      Set `authentication.strategy` to `sasl` and provide `authentication.user` and `authentication.password`.
+    example: |
+      {% if include.slug == "kafka-consume" %}--{% else %}[SCRAM-SHA-512 authentication](./examples/scram-sha-512/){% endif %}
+  - mechanism: |
+      `OAUTHBEARER` {% new_in 3.15 %}
+    description: |
+      Authenticates using short-lived OAuth 2.0 access tokens fetched automatically by {{site.base_gateway}}.
+      <br><br>
+      {{site.base_gateway}} uses the `client_credentials` grant to retrieve tokens from the configured `authentication.oauthbearer.token_endpoint_url`, caches them until expiry, and presents them in the SASL/OAUTHBEARER handshake.
+      <br><br>
+      Requires the `authentication.oauthbearer` block.
+    example: "[SASL/OAUTHBEARER authentication](./examples/oauthbearer/)"
+{% endtable %}
@@ -0,0 +1,37 @@
+The {{include.name}} plugin supports the following authentication schemes for Solace broker connections through [`session.authentication.scheme`](./reference/#schema--config-session-authentication-scheme):
+{% table %}
+columns:
+  - title: "Scheme"
+    key: scheme
+  - title: Description
+    key: description
+  - title: Example
+    key: example
+rows:
+  - scheme: "`NONE`"
+    description: "No authentication."
+    example: "--"
+  - scheme: "`BASIC`"
+    description: |
+      Authenticates using a username and password.
+      <br><br>
+      Provide `session.authentication.username` and `session.authentication.password`, or supply credentials via `session.authentication.basic_auth_header`.
+    example: |
+      {% if include.slug == "solace-upstream" %}[Send message to Solace queues with persistent delivery](./examples/configure-solace/){% elsif include.slug == "solace-log" %}[Enable Solace Logging](./examples/enable-solace-log/){% else %}--{% endif %}
+  - scheme: "`OAUTH2`"
+    description: |
+      Authenticates using a static OAuth 2.0 access token.
+      <br><br>
+      Provide `session.authentication.access_token` directly, or supply it via `session.authentication.access_token_header`.
+      The token must be rotated manually when it expires.
+    example: "--"
+  - scheme: |
+      `CLIENT_CREDENTIALS` {% new_in 3.15 %}
+    description: |
+      Authenticates using short-lived OAuth 2.0 access tokens fetched and renewed automatically by {{site.base_gateway}}.
+      <br><br>
+      {{site.base_gateway}} uses the `client_credentials` grant to retrieve tokens from `session.authentication.client_credentials.token_endpoint`, caches them until expiry, and retries with a fresh token if Solace returns an unauthenticated response.
+      <br><br>
+      Requires the `session.authentication.client_credentials` block.
+    example: "[OAuth 2.0 client credentials authentication](./examples/oauth-client-credentials/)"
+{% endtable %}
@@ -0,0 +1,49 @@
+description: 'Authenticate to Confluent Cloud using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.'
+
+title: 'SASL/OAUTHBEARER authentication'
+
+weight: 900
+
+min_version:
+  gateway: '3.15'
+
+requirements:
+  - "[Create a Kafka cluster in Confluent Cloud](https://docs.confluent.io/cloud/current/get-started/index.html#step-1-create-a-ak-cluster-in-ccloud)"
+  - "[Create a Kafka topic in the cluster](https://docs.confluent.io/cloud/current/get-started/index.html#step-2-create-a-ak-topic)"
+  - "An OAuth 2.0 identity provider that supports the client credentials grant"
+
+variables:
+  host:
+    description: 'The bootstrap server host.'
+    value: $BOOTSTRAP_SERVER_HOST
+  topic:
+    description: 'The name of the Kafka topic to consume from.'
+    value: $KAFKA_TOPIC
+  token_endpoint_url:
+    description: 'The URL of the OAuth 2.0 token endpoint.'
+    value: $TOKEN_ENDPOINT_URL
+  client_id:
+    description: 'The OAuth 2.0 client ID.'
+    value: $CLIENT_ID
+  client_secret:
+    description: 'The OAuth 2.0 client secret.'
+    value: $CLIENT_SECRET
+
+config:
+  bootstrap_servers:
+  - host: ${host}
+    port: 9092
+  topics:
+  - name: ${topic}
+  mode: http-get
+  oauthbearer:
+    token_endpoint_url: ${token_endpoint_url}
+    client_id: ${client_id}
+    client_secret: ${client_secret}
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform
@@ -62,6 +62,10 @@ For more information, see the [Confluent Cloud documentation](https://docs.confl
 
 Kong also provides a [plugin for publishing messages to Confluent Cloud](/plugins/confluent/).
 
+## Authentication
+
+{% include_cached /plugins/confluent/auth.md slug=page.slug name=page.name %}
+
 ## Implementation details
 
 The plugin supports the following modes of operation:

@@ -0,0 +1,47 @@
+description: 'Authenticate to Confluent Cloud using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.'
+
+title: 'SASL/OAUTHBEARER authentication'
+
+weight: 900
+
+min_version:
+  gateway: '3.15'
+
+requirements:
+  - "[Create a Kafka cluster in Confluent Cloud](https://docs.confluent.io/cloud/current/get-started/index.html#step-1-create-a-ak-cluster-in-ccloud)"
+  - "[Create a Kafka topic in the cluster](https://docs.confluent.io/cloud/current/get-started/index.html#step-2-create-a-ak-topic)"
+  - "An OAuth 2.0 identity provider that supports the client credentials grant"
+
+variables:
+  host:
+    description: 'The bootstrap server host.'
+    value: $BOOTSTRAP_SERVER_HOST
+  topic:
+    description: 'The name of the Kafka topic.'
+    value: $KAFKA_TOPIC
+  token_endpoint_url:
+    description: 'The URL of the OAuth 2.0 token endpoint.'
+    value: $TOKEN_ENDPOINT_URL
+  client_id:
+    description: 'The OAuth 2.0 client ID.'
+    value: $CLIENT_ID
+  client_secret:
+    description: 'The OAuth 2.0 client secret.'
+    value: $CLIENT_SECRET
+
+config:
+  bootstrap_servers:
+  - host: ${host}
+    port: 9092
+  topic: ${topic}
+  oauthbearer:
+    token_endpoint_url: ${token_endpoint_url}
+    client_id: ${client_id}
+    client_secret: ${client_secret}
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform
@@ -64,6 +64,10 @@ With Kafka at its core, [Confluent](https://confluent.io) offers complete, fully
 > * The message format is not customizable.
 > * {{site.base_gateway}} supports Kafka 4.0 starting from version 3.10.
 
+## Authentication
+
+{% include_cached /plugins/confluent/auth.md slug=page.slug name=page.name %}
+
 ## Schema registry support {% new_in 3.11 %}
 
 {% include_cached /plugins/confluent-kafka-consume/schema-registry.md name=page.name slug=page.slug workflow='producer' %}
@@ -0,0 +1,52 @@
+description: 'Authenticate to a Kafka broker using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.'
+
+title: 'SASL/OAUTHBEARER authentication'
+
+weight: 900
+
+min_version:
+  gateway: '3.15'
+
+requirements:
+  - "You have a [Kafka cluster](https://kafka.apache.org/documentation/#quickstart)"
+  - "You have a [Kafka topic](https://kafka.apache.org/documentation/#quickstart_createtopic) in the cluster"
+  - "An OAuth 2.0 identity provider that supports the client credentials grant"
+
+variables:
+  host:
+    description: 'The bootstrap server host.'
+    value: $BOOTSTRAP_SERVER_HOST
+  topic:
+    description: 'The name of the Kafka topic to consume from.'
+    value: $KAFKA_TOPIC
+  token_endpoint_url:
+    description: 'The URL of the OAuth 2.0 token endpoint.'
+    value: $TOKEN_ENDPOINT_URL
+  client_id:
+    description: 'The OAuth 2.0 client ID.'
+    value: $CLIENT_ID
+  client_secret:
+    description: 'The OAuth 2.0 client secret.'
+    value: $CLIENT_SECRET
+
+config:
+  bootstrap_servers:
+  - host: ${host}
+    port: 9092
+  topics:
+  - name: ${topic}
+  mode: http-get
+  authentication:
+    strategy: sasl
+    mechanism: OAUTHBEARER
+    oauthbearer:
+      token_endpoint_url: ${token_endpoint_url}
+      client_id: ${client_id}
+      client_secret: ${client_secret}
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform
@@ -102,6 +102,15 @@ If you try to scope this plugin to a Service on a fresh {{site.base_gateway}} in
 
 In traditional mode, {{site.base_gateway}} will log an error-level message at startup if a `kafka-consume` plugin scoped to a Service is detected. The plugin configuration must be updated after startup. Until the configuration is updated, requests to the previous plugin URL will continue to be forwarded to the upstream Service, and responses will be returned to the downstream client as before.
 
-In DB-less mode, if the declarative configuration file contains a `kafka-consume` plugin scoped to a Service, {{site.base_gateway}} will fail to start. In this case, you must update the declarative configuration before restarting {{site.base_gateway}}.
+In DB-less mode, if the declarative configuration file contains a `kafka-consume` plugin scoped to a Service, {{site.base_gateway}} will fail to start. In this case, proceed as follows:
 
-In hybrid mode, if a `kafka-consume` plugin scoped to a Service exists in PostgreSQL, upgrading and restarting the control plane will succeed. However, before updating the data plane, you must update the plugin configuration. Otherwise, once the data plane is upgraded and restarted, it will fail to sync the configuration due to validation errors.
+1. Update the declarative configuration 1. Restart {{site.base_gateway}}.
+
+In hybrid mode, if a `kafka-consume` plugin scoped to a Service exists in PostgreSQL, upgrading and restarting the control plane will succeed. Then, to avoid validation errors on sync, follow these steps:
+
+1. Update the plugin configuration.
+1. Update and restart the data plane.
+
+## Authentication
+
+{% include_cached /plugins/kafka/auth.md slug=page.slug name=page.name %}
@@ -0,0 +1,44 @@
+description: 'Authenticate to a Kafka broker using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.'
+
+title: 'SASL/OAUTHBEARER authentication'
+
+weight: 900
+
+min_version:
+  gateway: '3.15'
+
+requirements:
+  - "[Kafka installed](https://kafka.apache.org/quickstart#quickstart_download) and running"
+  - "[Create a Kafka topic](https://kafka.apache.org/quickstart#quickstart_createtopic)"
+  - "An OAuth 2.0 identity provider that supports the client credentials grant"
+
+variables:
+  topic:
+    description: 'The name of your Kafka topic.'
+    value: $KAFKA_TOPIC
+  token_endpoint_url:
+    description: 'The URL of the OAuth 2.0 token endpoint.'
+    value: $TOKEN_ENDPOINT_URL
+  client_id:
+    description: 'The OAuth 2.0 client ID.'
+    value: $CLIENT_ID
+  client_secret:
+    description: 'The OAuth 2.0 client secret.'
+    value: $CLIENT_SECRET
+
+config:
+  topic: ${topic}
+  authentication:
+    strategy: sasl
+    mechanism: OAUTHBEARER
+    oauthbearer:
+      token_endpoint_url: ${token_endpoint_url}
+      client_id: ${client_id}
+      client_secret: ${client_secret}
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform
@@ -81,4 +81,8 @@ slug=page.slug %}
 
 ## Schema registry support {% new_in 3.11 %}
 
-{% include_cached /plugins/confluent-kafka-consume/schema-registry.md name=page.name slug=page.slug workflow='producer' %}
+{% include_cached /plugins/confluent-kafka-consume/schema-registry.md name=page.name slug=page.slug workflow='producer' %}
+
+## Authentication
+
+{% include_cached /plugins/kafka/auth.md slug=page.slug name=page.name %}
@@ -0,0 +1,44 @@
+description: 'Authenticate to a Kafka broker using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.'
+
+title: 'SASL/OAUTHBEARER authentication'
+
+weight: 900
+
+min_version:
+  gateway: '3.15'
+
+requirements:
+  - "[Kafka installed](https://kafka.apache.org/quickstart#quickstart_download) and running"
+  - "[Create a Kafka topic](https://kafka.apache.org/quickstart#quickstart_createtopic)"
+  - "An OAuth 2.0 identity provider that supports the client credentials grant"
+
+variables:
+  topic:
+    description: 'The name of your Kafka topic.'
+    value: $KAFKA_TOPIC
+  token_endpoint_url:
+    description: 'The URL of the OAuth 2.0 token endpoint.'
+    value: $TOKEN_ENDPOINT_URL
+  client_id:
+    description: 'The OAuth 2.0 client ID.'
+    value: $CLIENT_ID
+  client_secret:
+    description: 'The OAuth 2.0 client secret.'
+    value: $CLIENT_SECRET
+
+config:
+  topic: ${topic}
+  authentication:
+    strategy: sasl
+    mechanism: OAUTHBEARER
+    oauthbearer:
+      token_endpoint_url: ${token_endpoint_url}
+      client_id: ${client_id}
+      client_secret: ${client_secret}
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform