Response aggregation and upstream authentication

We’re currently evaluating Kong as an API management tool, and have run into roadblocks on a couple of features. I’d love some info on whether these are possible, preferably without requiring third party plugins, etc.

First, what’s the best way to authenticate our gateway service with the upstream service? I can see there are several authentication plugins, but they seem to be only for authenticating with the Kong endpoint. We’ve tried, unsuccessfully, to use the request transformer plugin with a reference to a vault value. For testing purposes, we’ve had to statically specify our auth header using a request transformer, but would prefer a better way to secure this. This approach also won’t work if we need to integrate with an OAuth provider.

Secondly, how would we go about sending a request to multiple upstream services at once, and combine their responses into a single response back to the consumer? This is a key feature of several alternatives we’re reviewing, but seems to be unavailable with Kong.

Thanks for any help.