The latest news and announcements about Kong, our products, and our ecosystem, as well as voices from across our community.
As cybersecurity takes the main stage, organizations face a significant challenge: how do you strike a balance between maintaining a high level of security and ensuring employees have enough data access to perform their jobs properly? Role-based access control (RBAC) is a solution that can support…
[](/blog/learning-center/what-is-rbac)
Ensuring secure access to applications and APIs is critical. As organizations increasingly adopt microservices architectures and cloud native solutions, the need for robust, fine-grained access control mechanisms becomes paramount. This is where the combination of Open Policy Agent (OPA) and Kong…
[](/blog/engineering/secure-access-control-with-opa-and-kong)
OAuth 2.0 is the current gold standard for secure delegated authorization. The reason is simple: OAuth puts control back in the hands of the users. It enables users to securely grant access to their resources without having to share passwords with third-party applications. Hence, it's one of the…
[](/blog/engineering/3-extensions-to-improve-security)
Let’s pose a hypothetical scenario. You're the API product owner at the Paris, Texas Regional Airport. You're in charge of two main APIs: Flights API and Scheduling API. Flights API is primarily used by local research institutions that are interested in read-only access to information about…
[](/blog/engineering/managing-application-auth)
In the modern IT stack, API gateways act as the first line of defense against attacks on backend services by enforcing authentication/authorization policies and validating and transforming requests. When backend services are protected with a token-based approach, client applications must obtain an…
[](/blog/engineering/zero-trust-oauth-2-0-mtls-client-authentication)
With digital transformation shifting networks into the cloud — from remote workforces to online banking — cyberattacks are growing more prevalent and sophisticated. Legacy security models like VPNs and perimeter-based firewalls are proving inadequate in addressing modern threats because perimeters…
[](/blog/engineering/microsegmentation-and-zero-trust-security)
With its flexible querying capabilities, GraphQL makes it easy to combine data from multiple sources into a single endpoint. GraphQL and API management go hand in hand to build next-generation API platforms. However, GraphQL's features can also introduce security risks if not properly…
[](/blog/engineering/graphql-security-vulnerabilities)
Application programming interfaces (APIs) allow software to communicate and share data. But how can those APIs confirm the identity of the clients theyre communicating with? API keys are one solution. API keys are unique codes for authenticating and authorizing access to the features, data, or…
[](/blog/learning-center/what-are-api-keys)
In this blog we are going to learn about the technical challenges behind solving GraphQL authorization and how many organizations resolve it today. Then discuss how a Kong / OPA integration can help drive security standards in this space and bring some parity with REST API solutions. Last, we will…
[](/blog/engineering/graphql-authorization-at-the-api-gateway-with-kong-konnect-and-opa)
OAuth (short for Open Authorization) is a popular, standardized API protocol that provides a secure way for services to quickly share resources for a seamless user experience. Examples of OAuth in action include giving a greeting card service access to your photo library to make a custom holiday…
[](/blog/learning-center/what-is-oauth)What is an API Gateway? In essence, it authenticates that a particular consumer has permission to access the API, using a predefined set of credentials. There are special cases — for example, the option to allow anonymous authentication — but generally speaking, the aim of API authentication is to…
[](/blog/learning-center/api-gateway-authentication)Authentication is the process of determining who a user is by, for example, asking them to provide a username and password or using multi-factor authentication. Once you know who the user is, you can check their account details to determine what they are authorized to access. Creating a session for…
[](/blog/learning-center/microservices-security-and-session-management)
Earlier this year, we hosted our inaugural Kong Summit Hackathon . This virtual competition engaged our open source community and offered recognition and prizes for hacks in various categories. The community delivered with ingenious plugins, hacks and documentation. In this blog post, we highlight…
[](/blog/engineering/insomnia-dynamic-signatures)
As organizations look to accelerate their digital transformation initiatives, a couple of key trends are prevalent. First, there is a movement from monolithic to smaller cloud native microservices. Second, there is more pressure to innovate, resulting in an explosion of APIs and connections to…
[](/blog/news/kong-okta-identity-api-management)
As APIs and microservices evolve, the architecture used to secure these resources must also mature. Utilizing a token-based architecture to protect APIs is a robust, secure and scalable approach, and it is also much safer than API keys or basic authentication. However, token-based architecture…
[](/blog/engineering/token-based-access-control)
As more and more companies move to a multi-cloud strategy and increase usage of a cloud native infrastructure , API providers are under a lot of pressure to deliver APIs at scale in multi-cloud environments. At the same time, APIs should follow each company's security requirements and best…
[](/blog/engineering/api-authorization)