Secure your APIs with confidence. Explore methods, protocols, and best practices for implementing robust authentication—from OAuth and JWT to zero-trust architectures—across modern API ecosystem
As cybersecurity takes the main stage, organizations face a significant challenge: how do you strike a balance between maintaining a high level of security and ensuring employees have enough data access to perform their jobs properly? Role-based access control (RBAC) is a solution that can support…
[](/blog/learning-center/what-is-rbac)
Ensuring secure access to applications and APIs is critical. As organizations increasingly adopt microservices architectures and cloud native solutions, the need for robust, fine-grained access control mechanisms becomes paramount. This is where the combination of Open Policy Agent (OPA) and Kong…
[](/blog/engineering/secure-access-control-with-opa-and-kong)
In today's interconnected web ecosystem, modern applications frequently need to communicate across different domains, making Cross-Origin Resource Sharing (CORS) a fundamental concept for web developers to master. This comprehensive guide explores CORS from its basic principles to advanced…
[](/blog/learning-center/what-is-cors-cross-origin-resource-sharing)
The JSON Web Token (JWT) is an open standard that allows information to be transferred securely between different parties. The token is digitally signed by using a private key (HMAC) or a public/private key (RSA) by building a JSON Web Signature (JWS). It guarantees that the JWT hasn’t been…
[](/blog/engineering/craft-and-sign-custom-jwt)
In the modern IT stack, API gateways act as the first line of defense against attacks on backend services by enforcing authentication/authorization policies and validating and transforming requests. When backend services are protected with a token-based approach, client applications must obtain an…
[](/blog/engineering/zero-trust-oauth-2-0-mtls-client-authentication)
With digital transformation shifting networks into the cloud — from remote workforces to online banking — cyberattacks are growing more prevalent and sophisticated. Legacy security models like VPNs and perimeter-based firewalls are proving inadequate in addressing modern threats because perimeters…
[](/blog/engineering/microsegmentation-and-zero-trust-security)
With its flexible querying capabilities, GraphQL makes it easy to combine data from multiple sources into a single endpoint. GraphQL and API management go hand in hand to build next-generation API platforms. However, GraphQL's features can also introduce security risks if not properly…
[](/blog/engineering/graphql-security-vulnerabilities)
In token-based architecture, tokens represent the client’s entitlement to access protected resources. Access tokens (or bearer tokens as they're commonly known) are issued by authorization servers after successful user authentication. The tokens are passed as credentials in the request to the…
[](/blog/engineering/mtls-sender-constrained-tokens)As businesses expand and gain visibility, it’s natural that their API attack surfaces become more exposed — increasing the risk of dangerous data breaches. Protecting cloud communications and securing data in transit should be your organization’s top priority. API authentication mechanisms help…
[](/blog/engineering/common-api-authentication-methods)
This post is part of our Kong Champions series, where real Kong users walk you through technical challenges, use cases, and new technology they're using in their day-to-day. Sign up here to become a Kong Champion. As a Kong user, I've had the opportunity to dive deep into Kong's offerings. I've…
[](/blog/engineering/kong-saml-plugin-examples-and-uses)When it comes to digital identity, OpenID and OAuth are two peas in a pod, but they have their differences. OpenID connects you to relying parties using a single sign-on, while OAuth grants access tokens so you can give apps limited access. They both make authentication simple, seamless, and…
[](/blog/engineering/openid-vs-oauth-what-is-the-difference)
If you landed on this blog post, chances are that you care about keeping your API secure. It's an important topic to discuss: API exploits are on the rise, and you don't want unauthorized users accessing your data. A big part of that security is implementing API authentication and API…
[](/blog/engineering/api-authentication-vs-api-authorization)
Application programming interfaces (APIs) allow software to communicate and share data. But how can those APIs confirm the identity of the clients theyre communicating with? API keys are one solution. API keys are unique codes for authenticating and authorizing access to the features, data, or…
[](/blog/learning-center/what-are-api-keys)
In this blog we are going to learn about the technical challenges behind solving GraphQL authorization and how many organizations resolve it today. Then discuss how a Kong / OPA integration can help drive security standards in this space and bring some parity with REST API solutions. Last, we will…
[](/blog/engineering/graphql-authorization-at-the-api-gateway-with-kong-konnect-and-opa)
OAuth (short for Open Authorization) is a popular, standardized API protocol that provides a secure way for services to quickly share resources for a seamless user experience. Examples of OAuth in action include giving a greeting card service access to your photo library to make a custom holiday…
[](/blog/learning-center/what-is-oauth)
A common use case that is frequently requested is how to dynamically route requests based on authentication attributes. An example of this technique is routing requests to relevant upstream services based on claims contained in a JWT token. Admins would like all their clients to go to the same URI…
[](/blog/engineering/dynamic-routing-jwt-tokens-claim-with-kong-konnect)