I’m trying to architect a solution to protect a few of our internal data services. To do that I want to put Kong in the middle of the mix in order add an extra layer of security. In this case an external entity will be calling our service, they authenticate with oAuth2 and will be managing it all that on their side. What I would like to be able to do it to reject their call if they don’t have a valid set of tokens. In reading, it would seem that Kong can’t do that out of the box. Is there a plugin that would handle this kind of validation or will we have to develop something to handle this? Just an FYI the backend is NodeJS.