# Managing Application Auth for Different Audiences
Ella Kuzmenko
Sr. Product Manager, Kong
Let’s pose a hypothetical scenario. You're the API product owner at the Paris, Texas Regional Airport. You're in charge of two main APIs: Flights API and Scheduling API. Flights API is primarily used by local research institutions that are interested in read-only access to information about departures and arrivals. Scheduling API is primarily used by airline partners who are interested in updating information about their flights and gates. You would like to create similar auth strategies for your different customers, with slightly different permissions based on scopes.
Flights API has read:gate-priority and write:gate-priority scopes while Scheduling API has read:flight-schedule and write:flight-schedule. Research institutions should only receive read:flight-schedule and read:gate-priority scopes. Airline partners should receive both read and write scopes to the flight-schedule and gate-priority resource (i.e. read:flight-schedule, write:flight-schedule, read:gate-priority, and write:gate-priority).
In this scenario, you would like to configure different authentication types for each partner. One authentication strategy will use an Auth0 DCR Provider with read scopes, the other authentication strategy will use an Auth0 DCR Provider with read and write scopes.
We'll walk you through how you can do this with the newly released Application Auth strategies. In this blog, we'll do the following:
- Create one Auth0 DCR provider
- Reuse that DCR provider to create two authentication strategies, one for Flights API v2 that uses read scopes, and one for Scheduling API v2 that uses read and write scopes
- Apply those auth strategies to their respective API Product versions
When we create the application auth strategy, we add the relevant claims (e.g., email, profile, permissions, org_id, etc), scopes, auth methods, and a display name for our auth configs that will be easily understood by the developers in our Flight Portal (e.g., “Flight API Auth”).
Lastly, we'll paste in the DCR ID from step one into each of our auth configs. You'll notice the difference between the two auth configs is that we want to use different scopes (read-only scopes for Flights API v2 and read-and-write scopes for Scheduling API v2).
As we're using DCR, our create app auth strategy calls may look something like the following:
By sending these payloads, here is what we’ve accomplished:
- We’ve published the API Product versions so that Flights v2 and Scheduling v2 are now available in our Flights portal
- We’ve enabled app registration so our partner developers can actually register for Flights v2 and Scheduling v2 APIs
- We’ve enabled the Flight Auth strategy for Flights v2 API and Scheduling Auth strategy for our Scheduling v2 API in our Flight Portal, ensuring our partners consuming different APIs receive the appropriate scopes depending on their access level.
Note: If your API Products are not yet published, you'll need to publish the API Product itself in order for the API Product versions to be published to your portal.
- We published two API Product versions, each using a unique auth strategy
- We created two auth strategies from the same underlying DCR provider which gave us the flexibility to create a unique auth strategy per API Product version
- We introduced a new concept called the Portal Product Version, which we can use in the future to manage our Product Version’s auth configs across multiple dev portals
If you’d like to extend this example, I’ll mention a couple of other use cases for Application Auth strategies:
- Create multiple DCR providers, and apply different auth strategies (using different DCR providers) to different API Product versions in the same Dev Portal
- Create a DCR, OIDC, and Key Auth authentication strategy and mix and match them to as many API Product versions as you would like
The MSK exposure problem
Amazon MSK brokers live in private subnets by default. That's the right default. Kafka's protocol wasn't designed for untrusted networks — it has no concept of rate limiting, no built-in field-level encryption, and its ACL
Hugo Guerrero
# How to Set Up Prepaid Credits in Kong Konnect Metering & Billing
The core of this system rests on a foundational principle: currency-specific credit balances are never directly modified. Rather than a simple mutable counter, which is prone to race conditions and opaque manual adjustments, we utilize a comprehensi
Dan Temkin
# How to Test Gateway APIs Directly from Kong Konnect with Insomnia
What You'll Build
To explore the new integration, I'll build a realistic API platform workflow using Konnect, Kong Gateway, and Insomnia.
By the end of this tutorial, I'll have:
A Konnect Control Plane (KongAir Dev)
A local Kong Gateway Data Pl
Juhi Singh
# A Unified Gateway for APIs + Agentic Applications on VMware VKS with Kong Konnect
Built on top of Kong API Gateway, the Kong AI Gateway is designed to address key challenges in enterprise AI adoption. Modern AI applications rarely rely on a single model; instead, they orchestrate multiple GenAI providers, agent frameworks, Age
Anika Suri
# Automating Agreement Workflows with Kong Konnect and Docusign for Developers
Traditional agreement processes were slow and heavily manual. Documents were often created in office tools, shared through email, printed, signed physically, and stored across multiple systems. Tracking the status of agreements required manual follo
Paige Rossi
# Kong and ModelOp Partner to Deliver Zero-Trust Security for the Agentic Enterprise
The Problem: As organizations adopt agentic AI, a massive gap exists between compliance approvals and network reality. Often, AI governance is relegated to manual reviews and "paper approvals," meaning network firewalls and gateways have no context
Alex Rice
# Kong Event Gateway 1.2 Brings Field-Level Encryption, Topic Aliasing, and Analytics to Konnect
Most teams handle field-level data protection with client-side interceptors — code that has to live in every producer and consumer, in every language, maintained by every team that touches the topic. Renaming a topic means a migration project. And
# Kafka in a DMZ: Protecting AWS MSK with Kong Event Gateway
The MSK exposure problem
Amazon MSK brokers live in private subnets by default. That's the right default. Kafka's protocol wasn't designed for untrusted networks — it has no concept of rate limiting, no built-in field-level encryption, and its ACL
Hugo Guerrero
# How to Set Up Prepaid Credits in Kong Konnect Metering & Billing
The core of this system rests on a foundational principle: currency-specific credit balances are never directly modified. Rather than a simple mutable counter, which is prone to race conditions and opaque manual adjustments, we utilize a comprehensi
Dan Temkin
# How to Test Gateway APIs Directly from Kong Konnect with Insomnia
What You'll Build
To explore the new integration, I'll build a realistic API platform workflow using Konnect, Kong Gateway, and Insomnia.
By the end of this tutorial, I'll have:
A Konnect Control Plane (KongAir Dev)
A local Kong Gateway Data Pl
Juhi Singh
# A Unified Gateway for APIs + Agentic Applications on VMware VKS with Kong Konnect
Built on top of Kong API Gateway, the Kong AI Gateway is designed to address key challenges in enterprise AI adoption. Modern AI applications rarely rely on a single model; instead, they orchestrate multiple GenAI providers, agent frameworks, Age
Anika Suri
# Automating Agreement Workflows with Kong Konnect and Docusign for Developers
Traditional agreement processes were slow and heavily manual. Documents were often created in office tools, shared through email, printed, signed physically, and stored across multiple systems. Tracking the status of agreements required manual follo
Paige Rossi
# Kong and ModelOp Partner to Deliver Zero-Trust Security for the Agentic Enterprise
The Problem: As organizations adopt agentic AI, a massive gap exists between compliance approvals and network reality. Often, AI governance is relegated to manual reviews and "paper approvals," meaning network firewalls and gateways have no context
Alex Rice
# Kong Event Gateway 1.2 Brings Field-Level Encryption, Topic Aliasing, and Analytics to Konnect
Most teams handle field-level data protection with client-side interceptors — code that has to live in every producer and consumer, in every language, maintained by every team that touches the topic. Renaming a topic means a migration project. And
# Kafka in a DMZ: Protecting AWS MSK with Kong Event Gateway
The MSK exposure problem
Amazon MSK brokers live in private subnets by default. That's the right default. Kafka's protocol wasn't designed for untrusted networks — it has no concept of rate limiting, no built-in field-level encryption, and its ACL
Hugo Guerrero
# How to Set Up Prepaid Credits in Kong Konnect Metering & Billing
The core of this system rests on a foundational principle: currency-specific credit balances are never directly modified. Rather than a simple mutable counter, which is prone to race conditions and opaque manual adjustments, we utilize a comprehensi
Dan Temkin
# How to Test Gateway APIs Directly from Kong Konnect with Insomnia
What You'll Build
To explore the new integration, I'll build a realistic API platform workflow using Konnect, Kong Gateway, and Insomnia.
By the end of this tutorial, I'll have:
A Konnect Control Plane (KongAir Dev)
A local Kong Gateway Data Pl
Juhi Singh
# A Unified Gateway for APIs + Agentic Applications on VMware VKS with Kong Konnect
Built on top of Kong API Gateway, the Kong AI Gateway is designed to address key challenges in enterprise AI adoption. Modern AI applications rarely rely on a single model; instead, they orchestrate multiple GenAI providers, agent frameworks, Age
Anika Suri
# Automating Agreement Workflows with Kong Konnect and Docusign for Developers
Traditional agreement processes were slow and heavily manual. Documents were often created in office tools, shared through email, printed, signed physically, and stored across multiple systems. Tracking the status of agreements required manual follo
Paige Rossi
# Kong and ModelOp Partner to Deliver Zero-Trust Security for the Agentic Enterprise
The Problem: As organizations adopt agentic AI, a massive gap exists between compliance approvals and network reality. Often, AI governance is relegated to manual reviews and "paper approvals," meaning network firewalls and gateways have no context
Alex Rice
# Kong Event Gateway 1.2 Brings Field-Level Encryption, Topic Aliasing, and Analytics to Konnect
Most teams handle field-level data protection with client-side interceptors — code that has to live in every producer and consumer, in every language, maintained by every team that touches the topic. Renaming a topic means a migration project. And
## Ready to see Kong in action?
Get a personalized walkthrough of Kong's platform tailored to your architecture, use cases, and scale requirements.