Keymate Logo

Enforce Authorization at the Gateway—No Code Required

With Keymate's native plugins for APISIX and Kong, you can enforce fine-grained access control directly at your API Gateway. No SDKs, no app changes—just plug, configure, and enforce.

Enforce Authorization at the Gateway—No Code Required

Gate-Level Authorization Without Touching the App

Our official gateway plugins integrate with APISIX and Kong to intercept every incoming API call, perform real-time authorization checks via Keymate Access Gateway, and enforce allow/deny decisions before the app is even hit. What you get: Native support for APISIX (Lua) and Kong (Go). Token parsing and contextual extraction (e.g., org, role, hat). Request normalization and matcher engine (path, method, headers, body). Real-time gRPC or REST call to Keymate Access Gateway. Custom header and body parsing with support for OpenAPI-defined rules. Deny responses with custom messaging and audit logs. Rate-limiting or early-drop integration optional. This plugin-first approach means enforcement is uniform, centralized, and secure—across all microservices.

Zero-Code Gateway Authorization

Gateway plugins intercept API calls and enforce authorization decisions before reaching your applications, providing uniform security across all microservices.

Example: Enforce fine-grained access control at the gateway layer

Key Components:

APISIX & Kong Integration
Token Context Extraction
Real-time gRPC/REST Auth
Request Matching Engine
OpenAPI Rule Parsing

What Makes It Unique

No App Changes Required

Zero-code authorization enforcement at the edge

Native Plugins for APISIX & Kong

Developed with official extension points—Lua (APISIX) and Go (Kong)

gRPC & REST Integration

Calls Keymate Access Gateway for authorization in real time

Customizable Matchers

Supports path, method, headers, body-based decision models

Token Context Extraction

Extracts enriched token claims for org, department, delegated role

OpenAPI Rule Parsing

Automatically maps routes to policies via OpenAPI spec if available

Fail-Safe & Audit-Friendly

All requests logged, blocked, or bypassed based on rule config

Frequently Asked Questions

No. All enforcement happens at the gateway layer—your backend remains untouched.
It calls Keymate Access Gateway with contextual data (token, headers, path), which applies policy logic and returns a decision.
Yes. gRPC is default for low latency; REST is fallback or browser-compatible option.
Yes. For structured JSON payloads, body fields can be extracted and used in policy checks.

How to Use This Feature

Follow these steps to enable gateway-level authorization.

Implementation Steps

1

Install the Keymate plugin on your APISIX or Kong Gateway

2

Configure the plugin with Access Gateway endpoint (gRPC/REST)

3

Enable route matchers and header/body extractors as needed

4

Define policies in the Admin Console or via DSL

5

Use OpenAPI route definitions to map policies automatically

6

Monitor enforcement results via observability dashboards

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.