AuthGate
AuthGate
Log in
API Gateway — Normal Type

Your backend, protected
at the entry point.

Create an API Gateway, register your backend services, define routes, and pick an auth mode. AuthGate gateway-server enforces everything at runtime — your backend only receives requests that passed authentication.

Open dashboardTry playground

Setup

From zero to protected API in four steps.

01

Create a gateway

Name it, give it a description, and choose your auth mode. This is your gateway identity.

02

Register a service

Add your backend URL as a service — for example http://my-api.com. Services belong to a specific gateway.

03

Define routes

Map incoming paths and HTTP methods to paths inside your service. Mark each route PUBLIC or SECURE.

04

Share the entry point

Your end users call the gateway URL to reach your API. The gateway handles auth and forwards valid requests.

Services & Routes

What is the difference?

Service

Your backend application

A service is your backend server. You register it with a name and a base URL like http://my-api.com. The gateway knows to forward traffic there.

Route

A specific path inside a service

A route maps an incoming path and HTTP method to a target path inside a service — for example GET /users/** forwards to /api/users/** on your service.

PUBLIC

No credentials needed. The gateway forwards the request directly. Good for open data, health checks, or public endpoints.

SECURE

The gateway validates credentials before forwarding. The auth mode set on the gateway applies to all SECURE routes inside it.

Authentication Modes

Four ways to protect an API Gateway.

You pick one auth mode when creating a gateway. Basic Auth, API Key, and JWT end users are managed through the Consumer Service. OAuth2 end users are managed through IAM — the same users in your IAM dashboard.

Basic Auth

via Consumer Service

End users authenticate with a username and password. AuthGate validates credentials before forwarding the request to your service.

API Key

via Consumer Service

End users pass a secret key in the request header. Simple and common for server-to-server or app-to-API calls.

JWT

via Consumer Service

End users log in once and receive a JWT token. AuthGate validates the token on every request without a database lookup.

OAuth2

via IAM Service

End users authenticate through AuthGate IAM authorization server. IAM issues and validates tokens — the same users you manage in the IAM dashboard.

Explore more features

Identity & Access

The IAM authorization server that powers OAuth2 auth mode.

BFF as a Service

Host and secure frontend apps using secure Backend-for-Frontend cookie patterns.

Secure Tunnels

Establish secure connections to register local development hosts.