Event-driven architectures (EDAs) have pretty quickly transformed from a niche engineering pattern to the all-pervasive central nervous system of the modern enterprise. With Apache Kafka at the helm, enterprises are rapidly shifting gears from synchronous REST APIs to asynchronous event streams to relentlessly support real-time analytics, generative AI, and responsive microservices.
But as the appetite for real-time data grows, so does the challenge of securing it.
Today, we’re thrilled to announce Kong Event Gateway v1.1. This release addresses one of the most pressing hurdles in modern event streaming: closing the security gap between modern web identity standards and native event stream protocols. With the introduction of OAuth Token Claim Mapping for Policies and native mTLS Authentication, Kong Event Gateway v1.1 makes it easier and safer than ever to expose and consume event streams at scale.
The widespread adoption of Kafka and event streaming platforms is evident across several enterprises, where they serve as the backbone of critical operations, ranging from financial transactions to AI inference pipelines.
However, in the domains of security and identity, most teams continue to face several pressing challenges, including:
In the traditional synchronous world, API security has largely standardized on OAuth 2.0 and OpenID Connect (OIDC). However, Kafka’s native security model operates differently, relying heavily on mutual TLS (mTLS) for authentication and Access Control Lists (ACLs) for authorization. Consequently, while APIs have matured into identity-aware and policy-driven interfaces, event systems often maintain an infrastructure-centric security posture.
This yields a massive disconnect when teams try to expose Kafka topics to external partners, edge devices, or cross-domain internal teams. Developers are usually forced to choose between bad options, such as:
Kong Event Gateway v1.1 bridges this gap, allowing you to secure your event streams using the modern identity standards you already use for your APIs, without breaking Kafka’s native security posture.
Kong Event Gateway 1.1 focuses on bridging this gap by bringing identity and security to the forefront of event streaming.
OAuth Token Claim Mapping for Policies
Modern systems rely heavily on OAuth and JWT tokens to represent identity and context. Until now, that context was largely lost when interacting with event systems.
With OAuth token claim mapping, Kong Event Gateway can do the following.
This enables fine-grained, identity-aware authorization at the event layer. Instead of asking “can this client access this topic?”, you can now ask the following questions.
This is a fundamental shift from infrastructure-level control to context-aware security.
How it works in practice
Imagine you have a multi-tenant application where external consumers need to read order events. A consumer authenticates and presents an OAuth token containing the claim "tenant_id": "eu-region-4".
Instead of writing custom code to validate this, Kong Event Gateway intercepts the connection, reads the token, extracts the claim, and dynamically restricts that user's read access to the orders-eu-region-4 Kafka topic. If they attempt to subscribe to a different topic, the gateway drops the connection before it ever reaches the Kafka broker.
mTLS authentication aligned with Kafka practices
Security shouldn’t come at the cost of friction. Kafka relies on mTLS for Zero Trust security between clients and brokers. Previously, bridging external consumers to this internal standard required complex certificate management or breaking the mTLS chain at the edge, neither of which aligned with Kafka's architectural assumptions.
That is why Kong Event Gateway 1.1 introduces mTLS authentication that fully aligns with common Kafka practices. Rather than forcing teams into a new model, this approach:
The result is a secure-by-default communication layer that feels familiar to Kafka teams while still benefiting from Kong’s policy enforcement capabilities.
How it works in practice
The gateway seamlessly handles the mTLS handshake with the consuming client and verifies the certificate against your configured trust store.
Crucially, the gateway doesn't just authenticate the connection; it can also dynamically extract the principal from the client's certificate. You can then use this extracted identity to drive advanced gateway logic, such as applying custom encryption based on the specific client, enforcing strict access policies, or logging the exact identity for downstream auditing.
By handling all of this at the edge, the gateway ensures end-to-end encryption and strict identity verification before a single byte is forwarded, drastically reducing the attack surface of your Kafka clusters while maintaining the architectural purity your infrastructure teams expect.
These two features are powerful individually, but together they unlock something even more significant and powerful.
Together, they form the foundation for a zero-trust model in event streaming. This is where event infrastructure starts to look and behave like modern API platforms.
With Kong Event Gateway 1.1, organizations can:
This is not only about adding features. It’s about redefining how event systems participate in modern architectures.
Kong Event Gateway 1.1 enables organizations to scale event-driven architectures securely, so you no longer have to choose between modern identity standards and native Kafka security.
You can get started by:
Event streaming is becoming the crucial nervous system of modern applications. As that happens, security and identity can no longer be an afterthought. Kong Event Gateway is evolving to meet this reality, bringing policy-driven, identity-aware connectivity to the world of events.
Kong Event Gateway v1.1 is a step forward in that direction. And this is only the beginning.
Your Kafka Doesn't Have to Live Behind a Wall When teams resort to VPC peering or PrivateLink to expose Kafka, they're not solving the problem — they're managing it, one network topology decision at a time. Every new external consumer adds compl
In the modern IT stack, API gateways act as the first line of defense against attacks on backend services by enforcing authentication/authorization policies and validating and transforming requests. When backend services are protected with a token-b
Transitioning to microservices has many advantages for teams building large applications that must accelerate the pace of innovation, deployments and time to market. It also provides them the opportunity to secure their applications and services bet
Running Kong in front of your Solace Broker adds real benefits: Authentication & Access Control – protect your broker from unauthorized publishers. Validation & Transformation – enforce schemas, sanitize data, and map REST calls into event topics.
Kong customers include some of the most forward-thinking, tech-savvy organizations in the world. And while we’re proud to help them innovate through traditional APIs, the reality is that their ambitions don’t stop there. Increasingly, our customers a
Agents are ultimately decision makers. They make those decisions by combining intelligence with context, ultimately meaning they are only ever as useful as the context they can access. An agent that can't check inventory levels, look up customer his
Kong Mesh 2.13 delivers full support for Mesh Identity for Kubernetes and Universal mode. Plus, it's been designated as a Long Term Support release, with support for a total of 2 years. But first, what's Kong Mesh for the uninitiated? Built on top