Zero-Code Authorization at the Gateway Layer

Enforce fine-grained, policy-aware access control directly at the edge using API gateways and service meshes—without touching application code.

Enforcement at the Edge with APISIX, Kong, Istio, and Envoy

Why It Matters

Modern architectures often rely on API gateways and service meshes to control network traffic between services and clients. Embedding access control at this layer offers unique benefits:

With Keymate: You can enforce OpenFGA-backed policies on APIs via custom plugins for APISIX. Control service-to-service traffic with Istio/Envoy integration. Authorize requests based on token claims, session metadata, resource path, and org context. Apply rate limits or step-up auth via policy logic (e.g. sensitive endpoint access).

Key Components:

No changes required to your app code

Centralized policy enforcement for internal & external APIs

Visibility and traceability at the perimeter

Enables zero-trust and least-privilege principles by default

Policy Enforcement Without Code Changes

Use Cases: Public-facing REST APIs with FGA enforcement, Microservice communication authorization via Istio, Multi-tenant apps with org-level API visibility, Dynamic access based on token risk, department, role.

Key Components:

API Gateway (e.g. APISIX, Kong) receives the request

Token and request metadata (path, method, headers) are extracted

Gateway plugin calls Keymate Access Gateway

Policy decision is returned via gRPC

Request is allowed, denied, or redirected (e.g. for MFA)

All enforcement actions are logged via OpenTelemetry

Integration Highlights

Gateway Plugins

APISIX and Kong plugins support token parsing and enforcement

Service Mesh Hook

Istio and Envoy filters connect to Keymate via gRPC

Zero Code Change

No need to modify backend applications

Policy-Driven

All access decisions based on OpenFGA and session metadata

Tenant-Aware

Supports multi-tenant policy isolation at the gateway level

Telemetry Built-In

Gateway events are traced and logged via OTEL + SigNoz

Frequently Asked Questions

Out of the box, we support APISIX and Kong. You can extend the plugin for other gateways.

Yes—Keymate can return a "step-up required" signal, triggering additional authentication workflows.

OAuth scopes are static; our approach supports context-aware, fine-grained policies using OpenFGA.

We provide an Envoy filter that can be deployed as part of Istio to intercept and authorize service calls.

How to Use This Integration

Implementation Steps

Deploy the APISIX or Kong plugin to your API gateway

Connect the plugin to the Keymate Access Gateway via gRPC

Define policies in the Keymate Policy Manager

Monitor enforcement via OTEL & Signoz

Optionally integrate Istio/Envoy with sidecar filter for service mesh authorization

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.