+
2023 State of Authorization Report offers guidance on critical issues impacting authorization Learn more  
Authorization for API Gateways

Authorization for API gateways

Securely scale API-driven development within your teams and grow with confidence, driven by the power of Orchestrated Authorization.

See how we do it

API gateways provide you with the ability to realize the benefits of microservice architectures and scale to the individual services that make up the modern day application.

While some organizations may choose to integrate their authorization decision directly into the microservice as a sidecar, depending on their adoption, they may choose to deploy the authorization policy as part of the API Gateway.

cloud data security development across devices

When organizations build policies using Axiomatics and leverage the API Gateways as an enforcement point, they accelerate their ability to scale and attribute-based access control (ABAC) model across their applications.

In turn, this architecture serves the Zero Trust goals of continuous policy enforcement against critical attributes such as risk, time, location, classification, role, etc.

application developer

Axiomatics has integrated across leading API gateway solutions, such as Mulesoft, Apigee, or Kong, and helped customers around the world securely share data to improve the customer experience.

By using industry standards, no custom coding or SDKs are needed to achieve interoperability between Axiomatics and API Gateways.

Organizations only need to configure gateway settings to add enhanced Attribute-based access control (ABAC) capabilities to their API security implementation.

The Axiomatics integration with an API Gateway,
follows the same, externalized referenced architecture
to enforce run-time authorization policies

In this model, the API Gateway is the Policy Enforcement Point (PEP), while Axiomatics continues to provide the Policy Decision Point (PDP) and integration with attributes (PIPs):

  • A subject (user or machine) calls out to the API gateway
  • The gateway first determines if the subject is allowed to call the gateway
  • The Axiomatics PDP performs a policy evaluation of the request being made by the subject against attributes (Policy Information Points)
  • If the subject is allowed to make the request, Axiomatics returns a permit decision
  • The API Gateway forwards the decision to the application/resource
  • The application/resource returns a response back to the subject
Axiomatics API gateway integration workflow chart
  1. Call out to API Service X
  2. Can the client call API Service X’s method Y?
  3. Evaluate Authorization policies and Optionally look up additional attributes
  4. Yes, Permit
  5. Forward the API call
  6. API response

Learn more about how Axiomatics supports
authorization for API gateways

Dynamic Authorization for the Apigee API Gateway

We see the need for dynamic authorization on API Gateways for use cases such as new customer portals, a ugmenting OAuth with ABAC to achieve fine-grained authorization and building microservices and externalizing authorization.

Watch the webinar

5 Fast Facts for API Access Control

For administrators controlling sensitive data, access control is a major headache. We’ve outlined five key API access control facts – along with a little help on how to address them.

Learn more

Policy-based access management and the evolution of authorization

CPO Mark Cassetta take a deep dive into KuppingerCole's Market Compass for PBAM report and how Axiomatics meet's today's market challenges.

Read the article
Axiomatics icon

Let's show you a demo and take the next leap in your authorization journey

Meet with us and see how our award-winning solution can help you meet today's access control and Zero Trust needs.

Request a demo