diff --git a/kbs/src/api_server.rs b/kbs/src/api_server.rs
index a9a6e2edca..eb626bb487 100644
--- a/kbs/src/api_server.rs
+++ b/kbs/src/api_server.rs
@@ -269,7 +269,7 @@ pub(crate) async fn api(
                 // Plugin calls need to be authorized by the admin auth
                 core.admin_auth.validate_auth(&request)?;
                 let response = plugin
-                    .handle(&body, query, additional_path, request.method())
+                    .handle(&body, query, additional_path, request.method(), None)
                     .await
                     .map_err(|e| Error::PluginInternalError { source: e })?;
 
@@ -282,6 +282,8 @@ pub(crate) async fn api(
                     .map_err(|_| Error::TokenNotFound)?;
 
                 let claims = core.token_verifier.verify(token).await?;
+                let init_data = claims
+                    .pointer("/submods/cpu0/ear.veraison.annotated-evidence/init_data_claims");
 
                 let claim_str = serde_json::to_string(&claims)?;
 
@@ -299,7 +301,7 @@ pub(crate) async fn api(
                 KBS_POLICY_APPROVALS.inc();
 
                 let response = plugin
-                    .handle(&body, query, additional_path, request.method())
+                    .handle(&body, query, additional_path, request.method(), init_data)
                     .await
                     .map_err(|e| Error::PluginInternalError { source: e })?;
                 if plugin
diff --git a/kbs/src/plugins/implementations/nebula_ca.rs b/kbs/src/plugins/implementations/nebula_ca.rs
index 25e3554d11..85df106d5f 100644
--- a/kbs/src/plugins/implementations/nebula_ca.rs
+++ b/kbs/src/plugins/implementations/nebula_ca.rs
@@ -399,6 +399,7 @@ impl ClientPlugin for NebulaCaPlugin {
         query: &str,
         path: &str,
         method: &Method,
+        _init_data: Option<&serde_json::Value>,
     ) -> Result<Vec<u8>> {
         let sub_path = path
             .strip_prefix('/')
diff --git a/kbs/src/plugins/implementations/pkcs11.rs b/kbs/src/plugins/implementations/pkcs11.rs
index d562cbd1ae..d9e9f4cea4 100644
--- a/kbs/src/plugins/implementations/pkcs11.rs
+++ b/kbs/src/plugins/implementations/pkcs11.rs
@@ -77,6 +77,7 @@ impl ClientPlugin for Pkcs11Backend {
         _query: &str,
         path: &str,
         method: &Method,
+        _init_data: Option<&serde_json::Value>,
     ) -> Result<Vec<u8>> {
         let desc = path
             .strip_prefix('/')
diff --git a/kbs/src/plugins/implementations/resource/mod.rs b/kbs/src/plugins/implementations/resource/mod.rs
index 7ca3aecc3f..06cdce9e8f 100644
--- a/kbs/src/plugins/implementations/resource/mod.rs
+++ b/kbs/src/plugins/implementations/resource/mod.rs
@@ -26,6 +26,7 @@ impl ClientPlugin for ResourceStorage {
         _query: &str,
         path: &str,
         method: &Method,
+        _init_data: Option<&serde_json::Value>,
     ) -> Result<Vec<u8>> {
         let resource_desc = path
             .strip_prefix('/')
diff --git a/kbs/src/plugins/implementations/sample.rs b/kbs/src/plugins/implementations/sample.rs
index ad04b72495..d859614f13 100644
--- a/kbs/src/plugins/implementations/sample.rs
+++ b/kbs/src/plugins/implementations/sample.rs
@@ -35,6 +35,7 @@ impl ClientPlugin for Sample {
         _query: &str,
         _path: &str,
         _method: &Method,
+        _init_data: Option<&serde_json::Value>,
     ) -> Result<Vec<u8>> {
         Ok("sample plugin response".as_bytes().to_vec())
     }
diff --git a/kbs/src/plugins/plugin_manager.rs b/kbs/src/plugins/plugin_manager.rs
index c4d91ca552..a17da3b8e9 100644
--- a/kbs/src/plugins/plugin_manager.rs
+++ b/kbs/src/plugins/plugin_manager.rs
@@ -20,9 +20,31 @@ type ClientPluginInstance = Arc<dyn ClientPlugin>;
 
 #[async_trait::async_trait]
 pub trait ClientPlugin: Send + Sync {
-    /// This function is the entry to a client plugin. The function
-    /// marks `&self` rather than `&mut self`, because it will leave
-    /// state and synchronization issues down to the concrete plugin.
+    /// Plugins fulfill requests using this function
+    /// and following REST semantics.
+    ///
+    /// A request is provided to the plugin in parts.
+    /// The @path is the base of the request and usually represents
+    /// some object that the plugin will provide.
+    ///
+    /// The @query is a query string passed in addition to the path
+    /// that can represent additional parameters not expressed
+    /// in the path.
+    ///
+    /// The request @method can be GET or POST. GET requests are typically
+    /// used from inside the guest to retrieve a resource.
+    /// POST requests are usually made by admins configuring a resource.
+    /// The @body of the request is also provided, but this should only
+    /// be used with POST requests.
+    ///
+    /// The @init_data field provides measured guest configuration
+    /// if it is provided by the guest and validated by the
+    /// attestation agent.
+    ///
+    ///
+    /// The handle function takes `&self` rather than `&mut self`,
+    /// because individual plugin backends are expected to
+    /// implement their own synchronization logic.
     ///
     /// TODO: change body from Vec slice into Reader to apply for large
     /// body stream.
@@ -32,6 +54,7 @@ pub trait ClientPlugin: Send + Sync {
         query: &str,
         path: &str,
         method: &Method,
+        init_data: Option<&serde_json::Value>,
     ) -> Result<Vec<u8>>;
 
     /// Whether the concrete request needs to validate the admin auth.