Access Gateway

Overview

The Access Gateway is the PDP Proxy and Edge Orchestrator of the Keymate platform. It processes every permission check request from enforcers (PEPs) — SDKs, API Gateway plugins, Service Mesh plugin, and platform components like Admin Console — through a structured enforcement pipeline, integrating with Keycloak for token validation and exchange, and with the Keymate Authorization Decision Provider for fine-grained permission evaluation.

Beyond enforcement, the gateway acts as a burst breaker — absorbing high-frequency permission check traffic through subject-based caching before it reaches downstream authorities.

When to Read This Section

Read this section when you need to understand:

• How permission checks are processed and enforced at the gateway layer
• The enforcement pipeline and its processing stages
• How access rules determine token exchange and resource resolution
• The caching architecture that reduces authority call volume
• DPoP sender-constrained token validation at the gateway
• The organization context retrieval API

Who Should Start Here

• Developers integrating SDKs or building gateway plugins that communicate with Access Gateway
• Architects designing authorization flows and understanding the enforcement model
• Operators monitoring gateway performance, cache behavior, and authority latency

Key Topics

• Overview — Gateway capabilities, endpoints, and system role
• Enforcement Pipeline — Request processing stages, error codes, and response headers
• Runtime Evaluation Model — Access Rule Engine and declarative rule matching
• Resource Resolution & Routing Metadata — URI-driven resource resolution
• Authority Integration & Token Mediation — Token introspection, exchange, and permission evaluation
• Version-Aware Decision Cache — Subject-based caching and TTL strategy
• Organization Context Endpoint — Organization context API with negative caching

Representative Journeys

• I want to understand what the Access Gateway does → Overview
• I want to know how requests are processed → Enforcement Pipeline
• I want to configure access rules for my client applications → Runtime Evaluation Model
• I want to set up URI-based resource resolution → Resource Resolution & Routing Metadata
• I want to understand authority integration → Authority Integration & Token Mediation
• I want to understand caching behavior → Version-Aware Decision Cache
• I want to retrieve a user's organization context → Organization Context Endpoint

Recommended Reading Order

1. Overview — Start here for the big picture
2. Enforcement Pipeline — Understand the request processing model
3. Runtime Evaluation Model — Learn how access rules drive authorization routing
4. Resource Resolution & Routing Metadata — Deep dive into URI-based resource resolution
5. Authority Integration & Token Mediation — Understand authority integration
6. Version-Aware Decision Cache — Learn about caching strategy
7. Organization Context Endpoint — API reference for organization context retrieval

Related Sections

• Keymate Authorization Decision Provider — Fine-grained permission evaluation and authorization decisions
• Architecture — System design and request evaluation flow
• Integrations — Gateways & Mesh — API Gateway and service mesh integration patterns
• Security — Sender-Constrained Tokens & DPoP — RFC 9449 DPoP specification and security model