DataDome Kong Plugin build detects and protects against bot activity

The DataDome plugin is developed in Lua and integrates smoothly with Kong (no IPC - interprocess communication)

The script will hook into the request/response of an API request and it is executed for every request from a client and before it is being proxied to the upstream on the access phase (see details here).


  • Kong Gateway OSS (Open Source)
  • Kong Konnect (Version managed by KongHQ)


On each node (data plane), run the following command:

sudo luarocks install kong-plugin-datadome


Loading the plugin

Add DataDome to the plugin's list

You can choose one of the options below:

  1. Kong configuration file (on each Kong node): comma separated list with all your plugins, please add datadome
plugins = plugin1,plugin2,datadome
  1. Environment variable (KONG_PLUGINS) : comma separated list with all your plugins, please add datadome
KONG_PLUGINS = plugin1,plugin2,datadome

Apply the plugin

You can restart kong:

 kong restart

Or, if you want to apply a plugin without stopping Kong:

 kong prepare
 kong reload

More detailed information on Kong official documentation here

Enable DataDome Bot Protection to your API

DataDome Server Side Key is available inside your Dashboard > Integrations

Option 1 : Kong Open Source

If you already have an API configured, execute the command below replacing the following <values>

curl -i -X POST http://localhost:8001/services/<YOUR_API>/plugins \
     -F "name=datadome" \
     -F "config.datadome_server_side_key=<server_side_key>"

Option 2 : Kong Konnect

  1. Ask your Kong Account Manager or CSM to enable DataDome plugin in your tenant
  2. Depending where you want to enable DataDome (Globally or at services level), select Plugins
  1. Click + New Plugin
  1. On Custom Plugins, select DataDome
  1. Fill Datadome Server Side Key
  2. Save

You are now protected by DataDome Bot & Fraud Protection


SettingDescriptionRequiredDefault Value
datadome_server_side_keyyour DataDome License keyyes-
datadome_endpointhostname of the API Server
Available endpoints
datadome_timeoutTimeout for regular API callsno150 (in milliseconds)
datadome_url_pattern_inclusionRegular expression to include URLsno-
datadome_url_pattern_exclusionRegular expression to exclude URLsnoList of excluded static assets below

Settings example:

curl -i -X POST http://localhost:8001/services/<YOUR_API>/plugins \
     -F "name=datadome" \
     -F "config.datadome_server_side_key=<server_side_key>" \
     -F "config.datadome_timeout=150" \


How do I activate debug logs?

To activate the debug level, you can choose one of the options below:

  1. Kong configuration file
log_level = debug
  1. Environment variable

The debug level allows you to see:

  • all the plugins loaded
  • DataDome verbose mode