# Notification Gateway Service

ESS provides a Notification Gateway Service for discovering the protocol-specific endpoints.

{% hint style="info" %}
The Notification Gateway Service is based on an early draft version of Solid Notifications Protocol. Features based on the draft specifications are subject to change.
{% endhint %}

### Notification Gateway Service Endpoint

ESS Notification Gateway Service has the following endpoint:

```none
https://notification.<ESS Domain>/
```

To determine the [WebSocket Notification Service](https://docs.inrupt.com/ess/2.3/services/service-notification/service-websocket) endpoint, clients can **`POST`** to the ESS Notification Gateway; no authentication is required:

<table data-header-hidden><thead><tr><th width="183.30401611328125"></th><th></th></tr></thead><tbody><tr><td>Method:</td><td><strong><code>POST</code></strong></td></tr><tr><td>Endpoint:</td><td><strong><code>https://notification.&#x3C;ESS Domain>/</code></strong></td></tr><tr><td>Content-Type:</td><td><strong><code>application/json</code></strong></td></tr><tr><td>Body:</td><td><strong><code>{ "protocols": ["ws"] }</code></strong></td></tr></tbody></table>

The response JSON contains the WebSocket endpoint that clients can access for login; for example:

```json
{ "endpoint": "https://websocket.<ESS Domain>/", "features": [], "protocol": "ws" }
```

See [WebSocket Notification Service](https://docs.inrupt.com/ess/2.3/services/service-notification/service-websocket) for details on using the endpoint.

### Configuration

As part of the [installation process](https://docs.inrupt.com/ess/2.3/installation), Inrupt provides base Kustomize overlays and associated files that require deployment-specific configuration inputs.

The following configuration options are available for the service and may be set as part of updating the inputs for your deployment. The Inrupt-provided base Kustomize overlays may be using updated configuration values that differ from the default values.

#### Required

**INRUPT\_NOTIFICATION\_PROTOCOLS\_WS\_ENDPOINT**

The URL of the WebSocket endpoint (e.g., **`https://websocket.{ESS Domain}/`**) returned by the Gateway.

**INRUPT\_NOTIFICATION\_WS\_ENDPOINT**

The URL of the WebSocket endpoint (e.g., **`https://websocket.{ESS Domain}/`** ) returned by the Gateway.

#### Optional

**Configuration Logging**

ESS services log their startup configuration.

**INRUPT\_LOGGING\_CONFIGURATION\_PREFIX\_ALLOW**

*Default*: inrupt,smallrye.jwt.sign.key.location

A comma-separated list of configuration property prefixes (**case-sensitive**) that determine which configurations are logged:

* If the list is empty, **NO** configuration property is logged.
* If a configuration property starts with a listed prefix (**case-sensitive**), the configuration property and its value are logged **unless** the configuration also matches a prefix in [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) (which acts as a filter on [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) list). As such, if the configuration matches prefix in both [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) and [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny), the [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) takes precedence and the configuration is not logged. For example, if **`inrupt.`** is an allow prefix, but is a deny prefix, all configurations that start with **`inrupt.kafka.`** are excluded from the logs.

When specifying the prefixes, you can specify the prefixes using one of two formats:

* using dot notation (e.g., **`inrupt.foobar.`** ), or
* using the [MicroProfile Config environmental variables conversion value](https://quarkus.io/guides/config-reference#environment-variables) (e.g., **`INRUPT_FOOBAR_`** ).

{% hint style="danger" %}
**Warning**\
Use the same format for **both** [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) and [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny).

For example, if you change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow), change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) as well.
{% endhint %}

{% hint style="info" %}
**Tip**\
To avoid allowing more than desired configurations, specify as much of the prefix as possible. If the prefix specifies the complete prefix term, include the term delineator. For example:

* If using dot-notation, if you want to match configuration properties of the form **`foobar.<xxxx>...`** , specify **`foobar.`** (including the dot **`.`** ) instead of, for example, **`foo`** or **`foobar`** .
* If using converted form, if you want to match configuration properties of the form **`FOOBAR_<XXXX>...`** , specify **`FOOBAR_`** (including the underscore **`_`** ) instead of, for example, **`FOO`** or **`FOOBAR`** .
  {% endhint %}

**INRUPT\_LOGGING\_CONFIGURATION\_PREFIX\_DENY**

*Default*:

A comma-separated list of configuration name prefixes (**case-sensitive**) that determines which configurations (that would otherwise match the [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow)) are not logged. That is, [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) acts as a filter on [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow). For example:

* If **`foobar.`** is an allowed prefix, to suppress **`foobar.private.`**, you can specify **`foobar.private.`** to the deny list.
* If **`foobar.`** is **not** an allowed prefix, no property starting with **`foobar.`** is logged. As such, you do not need to specify **`foobar.private`** to the deny list.

When specifying the prefixes, you can specify the prefixes using one of two formats:

* using dot notation (e.g., **`inrupt.foobar.`** ), or
* using the [MicroProfile Config environmental variables conversion value](https://quarkus.io/guides/config-reference#environment-variables) (e.g., **`INRUPT_FOOBAR_`** ).

{% hint style="danger" %}
**Warning**\
Use the same format for **both** [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) and [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny).

For example, if you change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow), change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) as well.
{% endhint %}

#### Log Redaction

**INRUPT\_LOGGING\_REDACTION\_NAME\_ACTION**

*Default*: **`REPLACE`**

Type of the redaction to perform. Supported values are:

<table><thead><tr><th width="163.2471923828125">Action</th><th>Description</th></tr></thead><tbody><tr><td><strong><code>REPLACE</code></strong></td><td>Default. Replaces the matching text with a specified replacement.</td></tr><tr><td><strong><code>PLAIN</code></strong></td><td>Leaves the matching field unprocessed. Only available if the redaction target is a field (i.e., <strong><code>INRUPT_LOGGING_REDACTION_{NAME}_FIELD</code></strong>).</td></tr><tr><td><strong><code>DROP</code></strong></td><td>Suppresses the matching field. Only available if the redaction target is a field (i.e., <strong><code>INRUPT_LOGGING_REDACTION_{NAME}_FIELD</code></strong>).</td></tr><tr><td><strong><code>PRIORITIZE</code></strong></td><td>Changes the log level of the matching message.</td></tr><tr><td><strong><code>SHA256</code></strong></td><td>Replaces the matching text with its hash.</td></tr></tbody></table>

* If the action is **`REPLACE`** (*default*), see also **`INRUPT_LOGGING_REDACTION_{NAME}_REPLACEMENT`**.
* If the action is to **`PRIORITIZE`**, see also **`INRUPT_LOGGING_REDACTION_{NAME}_LEVEL`**.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

**INRUPT\_LOGGING\_REDACTION\_NAME\_ENABLED**

*Default*: **true**

A boolean that determines whether the redaction configurations with the specified **`INRUPT_LOGGING_REDACTION_{NAME}_`** prefix is enabled.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

**INRUPT\_LOGGING\_REDACTION\_NAME\_EXCEPTION**

Fully qualified name of the exception class to match in the log messages (includes inner exception). Configure to target an exception message class.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

**INRUPT\_LOGGING\_REDACTION\_NAME\_FIELD**

Exact name of the field to match in the log messages. Configure to target a specific log message field for redaction.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

**INRUPT\_LOGGING\_REDACTION\_NAME\_LEVEL**

A new log level to use for the log message if the **`INRUPT_LOGGING_REDACTION_{NAME}_ACTION`** is **`PRIORITIZE`**.

**INRUPT\_LOGGING\_REDACTION\_NAME\_PATTERN**

A regex (see Java regex pattern) to match in the log messages. Configure to target log message text that matches a specified pattern.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

**INRUPT\_LOGGING\_REDACTION\_NAME\_REPLACEMENT**

Replacement text to use if the **`INRUPT_LOGGING_REDACTION_{NAME}_ACTION`** is **`REPLACE`**.

If unspecified, defaults to **`[REDACTED]`**.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

#### Application-Defined Metadata Propagation

**INRUPT\_AUDIT\_PRODUCER\_REQUEST\_METADATA\_ALLOW**

A comma-separated list of application-defined properties that can be included in the associated audit events (unless specified in the corresponding [**`INRUPT_AUDIT_PRODUCER_REQUEST_METADATA_DENY`**](#inrupt_audit_producer_request_metadata_deny)).

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
Tip\
To include a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

**INRUPT\_AUDIT\_PRODUCER\_REQUEST\_METADATA\_DENY**

A comma-separated list of application-defined properties to exclude from the associated audit messages. This setting takes precedence over [**`INRUPT_AUDIT_PRODUCER_REQUEST_METADATA_ALLOW`**](#inrupt_audit_producer_request_metadata_allow).

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
Tip\
To exclude a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

**INRUPT\_LOGGING\_REQUEST\_METADATA\_ALLOW**

A comma-separated list of application-defined properties that can be included in the associated log messages (unless specified in the corresponding [**`INRUPT_LOGGING_REQUEST_METADATA_DENY`**](#inrupt_logging_request_metadata_deny)).

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
Tip\
To include a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

**INRUPT\_LOGGING\_REQUEST\_METADATA\_DENY**

A comma-separated list of application-defined properties to exclude from the associated log messages. This setting takes precedence over [**`INRUPT_LOGGING_REQUEST_METADATA_ALLOW`**](#inrupt_logging_request_metadata_allow).

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
Tip\
To exclude a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

**INRUPT\_REQUEST\_METADATA\_PROPAGATOR\_HEADER\_ALLOW**

A comma-separated list of non-baggage request headers to add to the baggage (unless specified in the corresponding [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_DENY`**](#inrupt_request_metadata_propagator_header_deny)); i.e., include these non-baggage request headers as application-defined properties.

The configuration is case-insensitive; i.e., the listed headers do **not** need to match the case of the client request headers. For example, a list that includes **`x-correlation-id`** can match **`x-correlation-id`** header, **`X-CoRrElAtIoN-Id`** header, etc.

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

**INRUPT\_REQUEST\_METADATA\_PROPAGATOR\_HEADER\_DENY**

A comma-separated list of non-baggage request headers to exclude from being added to the baggage; i.e., excludes these headers as application-defined properties. This setting takes precedence over [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow).

The configuration is case-insensitive; i.e., the listed headers do **not** need to match the case of the client request headers. For example, a list that includes **`x-correlation-id`** can match (and exclude) **`x-correlation-id`** header, **`X-CoRrElAtIoN-Id`** header, etc.

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

**INRUPT\_REQUEST\_METADATA\_PROPAGATOR\_HEADER\_OVERRIDES**

A flag that determines ESS behavior when metadata property is defined both as a header and as a baggage entry:

* If **true**, ESS updates/overrides the baggage entry with the header value.
* If **false** (the default), ESS keeps the baggage entry.

For details, [Duplicate Property Definition](https://docs.inrupt.com/ess/administration/application-defined-metadata#duplicate-property-definition).

**INRUPT\_REQUEST\_METADATA\_REFLECTOR\_HEADER\_ALLOW**

A comma-separated list of application-defined properties that can return as response headers (unless specified in the corresponding [**`INRUPT_REQUEST_METADATA_REFLECTOR_HEADER_DENY`**](#inrupt_request_metadata_reflector_header_deny)).

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
Tip

* To return a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
* You may need to update **`QUARKUS_HTTP_CORS_EXPOSED_HEADERS`** to extend the list of [CORS-safelisted response headers](https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header) .
  {% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

**INRUPT\_REQUEST\_METADATA\_REFLECTOR\_HEADER\_DENY**

A comma-separated list of application-defined properties to exclude from returning as response headers. This setting takes precedence over [**`INRUPT_REQUEST_METADATA_REFLECTOR_HEADER_ALLOW`**](#inrupt_request_metadata_reflector_header_allow).

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
Tip\
To exclude a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

#### Additional Information

See also [Quarkus Configuration Options](https://quarkus.io/guides/all-config).

Method:	`POST`
Endpoint:	`https://notification.<ESS Domain>/`
Content-Type:	`application/json`
Body:	`{ "protocols": ["ws"] }`
Action	Description
`REPLACE`	Default. Replaces the matching text with a specified replacement.
`PLAIN`	Leaves the matching field unprocessed. Only available if the redaction target is a field (i.e., `INRUPT_LOGGING_REDACTION_{NAME}_FIELD`).
`DROP`	Suppresses the matching field. Only available if the redaction target is a field (i.e., `INRUPT_LOGGING_REDACTION_{NAME}_FIELD`).
`PRIORITIZE`	Changes the log level of the matching message.
`SHA256`	Replaces the matching text with its hash.