Keymate Logo

Mesh-Native FGAC with Istio and Envoy Filters

Enforce fine-grained access policies across internal service-to-service traffic by integrating Keymate with Istio/Envoy. Secure east-west calls with the same DSL, policies, and tokens used for edge APIs—now applied deep inside your mesh.

Mesh-Native FGAC with Istio and Envoy Filters

Bring Authorization to Every Microservice Call

Modern service meshes route billions of internal calls daily. Without enforcement, this internal traffic becomes a security blind spot. With Keymate's Envoy integration, you can: Apply policy-based authorization to every service-to-service request. Inject authorization via custom Envoy filters in Istio. Extract token, headers, and method metadata per call. Call Keymate Access Gateway in real-time (via gRPC). Authorize even for gRPC, HTTP/1.1, HTTP/2, or REST calls. Use the same DSL, OpenFGA model, and session-based token logic. Trace decisions and policy reasons in observability dashboards. This enables unified enforcement—whether the call comes from the outside world or between microservices.

Mesh-Native Fine-Grained Access Control

Secure east-west service communication with unified authorization policies applied at the mesh layer through custom Envoy filters.

Example: Apply policy-based authorization to every service-to-service request

Key Components:

Istio & Envoy Integration
Custom Envoy Filters
Real-time gRPC Auth
Protocol-Agnostic Support
Zero Trust East-West

What Makes It Unique

Custom Envoy Filter Support

Plugs into Istio via WASM or Lua-based filters for real-time enforcement

gRPC & HTTP Support

Authorizes both HTTP and gRPC internal service calls

Context Extraction

Parses tokens, headers, method, and resource path dynamically

Policy DSL Compatible

Uses same policies as API Gateway and SDK-based checks

Token-Aware and Org-Aware

Full support for enriched tokens with org, role, "hat" context

East-West Zero Trust Model

Enforces least-privilege across internal communication

Full Observability

Access logs, decision trace, denial reasons available centrally

Frequently Asked Questions

We support Istio and vanilla Envoy setups. Envoy filters are the core mechanism.
gRPC, HTTP/1.1, HTTP/2—all supported. Envoy filters work across protocols.
Yes. Same DSL, policy templates, and token enrichment apply inside the mesh.
Minimal. gRPC calls are optimized and policies are cached on sidecar when possible.

How to Use This Feature

Follow these steps to enable mesh-native authorization.

Implementation Steps

1

Deploy Istio (or standalone Envoy) in your mesh

2

Install Keymate Envoy Filter to sidecars or ingress/egress points

3

Configure the filter with Keymate Access Gateway endpoint (gRPC)

4

Define policies using token, method, resource, and OpenFGA context

5

Optionally enrich tokens with org/role info from session notes

6

Observe access decisions in mesh observability tools or Keymate dashboards

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.