OAuth 2.0 Token Exchange fundamentally alters how services establish trust. And the API gateway is the ideal location to enforce this new model. Modern applications don’t run as a single monolithic. They are composed of services — frontend APIs, backend microservices, third-party integrations —…
[](/blog/engineering/token-exchange-at-the-gateway)
Event-driven architectures (EDAs) have pretty quickly transformed from a niche engineering pattern to the all-pervasive central nervous system of the modern enterprise. With Apache Kafka at the helm, enterprises are rapidly shifting gears from synchronous REST APIs to asynchronous event streams to…
[](/blog/product-releases/kong-event-gateway-1-1)
"Too much information running through my brain." When The Police sang this opening line on their 1981 album Ghost in the Machine , they weren't thinking about artificial intelligence, but the sentiment perfectly captures the state of modern AI. The song warns of an overload of data that parallels…
[](/blog/engineering/ai-gateway-mcp-gateway-mcp-server-breakdown)
APIs empower every enterprise function, starting from seamless customer experiences to efficient internal operations. As a matter of fact, APIs are the foundational technology that fuels the advancements in AI, MCP, agentic, and autonomous systems. They're the critical connective tissue that allows…
[](/blog/enterprise/api-management-and-identity)
The healthcare industry is buzzing about FHIR (Fast Healthcare Interoperability Resources). Pronounced “fire,” this widely adopted data standard has been revolutionizing how healthcare information is exchanged. But building a truly modern, secure, and scalable digital health platform takes more…
[](/blog/engineering/health-platform-kong-smart-on-fhir-okta)
In the modern IT stack, API gateways act as the first line of defense against attacks on backend services by enforcing authentication/authorization policies and validating and transforming requests. When backend services are protected with a token-based approach, client applications must obtain an…
[](/blog/engineering/zero-trust-oauth-2-0-mtls-client-authentication)
As businesses expand and gain visibility, it’s natural that their API attack surfaces become more exposed — increasing the risk of dangerous data breaches. Protecting cloud communications and securing data in transit should be your organization’s top priority. API authentication mechanisms help…
[](/blog/engineering/common-api-authentication-methods)
When it comes to digital identity, OpenID and OAuth are two peas in a pod, but they have their differences. OpenID connects you to relying parties using a single sign-on, while OAuth grants access tokens so you can give apps limited access. They both make authentication simple, seamless, and…
[](/blog/engineering/openid-vs-oauth-what-is-the-difference)
In our second Kong and Okta tutorial, we'll go through the authorization code flow applied to user authentication processes. This series will show you how to implement service authentication and authorization for Kong Konnect and Okta using the OpenID Connect ( OIDC ) plugin. Parts 1, 3 and 4…
[](/blog/engineering/konnect-okta-authorization-code-flow)
Using Kong's OpenID Connect (OIDC) plugin, Kong and Okta work together to solve three significant application development challenges: The OIDC plugin enables Kong, as the API gateway , to communicate with Okta via the OAuth/OIDC flows. That way, your app teams don't have to configure and diagnose…
[](/blog/engineering/kong-and-okta-client-credentials)
In this tutorial, I'm going to walk through adding OAuth2 authorization and authentication to your service with the Kong API Gateway OAuth2 plugin . First, I'll cover the fundamentals. If you're already familiar with how Kong Gateway and OAuth2 work, skip ahead to the tutorial . Interconnected.…
[](/blog/engineering/kong-gateway-oauth2)