By on May 29, 2020

Access Control Lists with Kong

The Business Problem

Access control is an important function in our daily lives. Access control is provided in many different realms. For example, a physical door, a software program, or an API. Access control simply means that you are controlling who/what can access something. 

We’re going to focus this discussion around access control for an API. Businesses benefit from providing APIs to their internal (and external) developers. Businesses want to know who is accessing the API and may want to control access to each API based on different metrics that drive revenues or save costs. For example, I may only want to provide access to an API for my customers and not my partners. 

There are many reasons and methods for providing access control to an API. Today we’re going to take a closer look at how the Kong API Gateway can help us enforce access control using key authentication and access control lists. 

The Solution

Let’s imagine a scenario where we want to allow consumers in a specific group access to our Orders API, but deny access to others. I have 2 consumers (consumerA and consumerB) which I only want to allow access to the Orders API because they are customers, and therefore, part of the customers group. This is a common business use case we see for internal or external access to an API. We can set this example up in Kong quickly. Here is a diagram that describes what we want to do.

Here are the commands to get this setup in Kong. 

NOTE: This assumes you have Kong and httpie already installed. 

1. Create consumers A and B

2. Create Key-Auth credentials for each consumer

3. Assign Consumer A to the customers group

4. Create a Service and Route

5. Create an key-auth and ACL plugin at the service level to limit access to a group

6. Test to make sure only consumerA can access the API

This works!

Forbidden! This means the access control list is working.


There are many reasons why a business would want to limit the access to an API to specific clients or consumers. You can easily enforce this type of access control in Kong to take control of the access to your API and ensure you know who is using your service. 

For more advanced access control mechanisms, you can look at the Kong gateway which also gives you the ability to use a central identity/token management system and make use of OpenID Connect and OAuth 2.0 standards.