Skip to main content
This guide walks you through creating a custom guardrail plugin for the Portkey Gateway, configuring it locally, and testing it end-to-end. By the end, you’ll have a working guardrail that runs on every request through your self-hosted gateway.

Prerequisites

  • Node.js 18+ installed
  • The Portkey Gateway repository cloned locally
  • An API key for any external service your guardrail calls (optional)

How gateway plugins work

Portkey’s open-source gateway supports a plugin system specifically designed for guardrails. Each plugin:
  1. Lives in the /plugins directory of the gateway repository
  2. Declares its configuration in a manifest.json file
  3. Exports a handler function that receives the request/response context and returns a verdict
  4. Can hook into beforeRequestHook (input guardrail) or afterRequestHook (output guardrail)

Step 1: Create the plugin folder structure

Inside the gateway repository, create a new folder under /plugins:

Step 2: Define the manifest

The manifest.json file declares your plugin’s identity, required credentials, and the guardrail functions it exposes.
manifest.json
Key fields:

Step 3: Implement the handler

Create your main TypeScript file (e.g., main.ts) that exports the guardrail handler:
main.ts

Handler parameters

Return values

Step 4: Write tests

Create a test file to validate your guardrail logic:
main.test.ts
Run tests with:

Step 5: Configure the gateway

Edit the conf.json file in the root of the gateway repository to enable your plugin and provide credentials:
conf.json
  • plugins_enabled — List of plugin IDs to load. "default" includes the built-in plugins.
  • credentials — Maps plugin IDs to their credential values. Keys must match the credentials.properties defined in your manifest.json.

Step 6: Build and run locally

Build the plugins and start the gateway:
Alternative dev commands:
The gateway starts on http://localhost:8787 by default.

Step 7: Test with a live request

Send a request through your local gateway to verify the guardrail works:
If the guardrail passes (verdict: true), the request proceeds to the LLM. If it fails (verdict: false), the gateway returns a 446 status code (when deny is enabled) or a 246 status code (when deny is disabled).
The x-portkey-config header accepts an inline JSON config. For production use, create a config through the Portkey app and reference it by ID instead.

Example: profanity filter guardrail

Here’s a complete example of a simple profanity filter plugin:
1

Create the plugin folder

2

Add the manifest

plugins/profanity-filter/manifest.json
3

Implement the handler

plugins/profanity-filter/main.ts
4

Configure and run

Update conf.json:
Build and start:

Next steps

Last modified on April 2, 2026