Auth plugins must implement request checking on a HTTP port and path such as
- Valid requests: return 2xx
- Invalid requests: return non 2xx
It is up to the developer to pick whether a request body is required for validation. For strategies such as Basic Authentication, headers are sufficient.