You are browsing documentation for an outdated version.
See the latest documentation here.
Secure your Services Using Authentication
In this topic, you’ll learn about API Gateway authentication, set up the Key Authentication plugin, and add a consumer.
If you are following the getting started workflow, make sure you have completed Improve Performance with Proxy Caching before moving on.
What is Authentication?
API gateway authentication is an important way to control the data that is allowed to be transmitted using your APIs. Basically, it checks that a particular consumer has permission to access the API, using a predefined set of credentials.
Kong Gateway has a library of plugins that provide simple ways to implement the best known and most widely used methods of API gateway authentication. Here are some of the commonly used ones:
- Basic Authentication
- Key Authentication
- OAuth 2.0 Authentication
- LDAP Authentication Advanced
- OpenID Connect
Authentication plugins can be configured to apply to service entities within the Kong Gateway. In turn, service entities are mapped one-to-one with the upstream services they represent, essentially meaning that the authentication plugins apply directly to those upstream services.
Why use API Gateway Authentication?
With authentication turned on, Kong Gateway won’t proxy requests unless the client successfully authenticates first. This means that the upstream (API) doesn’t need to authenticate client requests, and it doesn’t waste critical resources validating credentials.
Kong Gateway has visibility into all authentication attempts, successful, failed, and so on, which provides the ability to catalog and dashboard those events to prove the right controls are in place, and to achieve compliance. Authentication also gives you an opportunity to determine how a failed request is handled. This might mean simply blocking the request and returning an error code, or in some circumstances, you might still want to provide limited access.
In this example, you’re going to enable the Key Authentication plugin. API key authentication is one of the most popular ways to conduct API authentication and can be implemented to create and delete access keys as required.
For more information, see What is API Gateway Authentication?.
Set up the Key Authentication Plugin
Set up Consumers and Credentials
Validate Key Authentication
(Optional) Disable the plugin
If you are following this getting started guide topic by topic, you will need to use this API key in any requests going forward. If you don’t want to keep specifying the key, disable the plugin before moving on.
Summary and next steps
In this topic, you:
- Enabled the Key Authentication plugin.
- Created a new consumer named
- Gave the consumer an API key of
apikey so that it could access the
/mock route with authentication.
Next, you’ll learn about load balancing upstream services using targets.