Authentication
This document explains how applications authenticate when consuming APIs through the ApiReverseProxy.
1. Application Authentication (App to Proxy)
This identifies Consumer Applications talking to your microservices via the ApiReverseProxy. To avoid conflicts with your internal microservices' own Authorization headers, our gateway uses a custom namespace.
Standard OAuth 2.0 Flow (Recommended)
The most secure approach for production applications.
Step 1: Obtain Access Token
Exchange your credentials for a short-lived JWT.
POST /oauth/token
{
"grant_type": "client_credentials",
"client_id": "your-app-uuid",
"client_secret": "your-secure-secret"
}Step 2: Authorized Request
Use the issued token in the custom gateway header.
X-Gateway-Authorization: Bearer <gateway_issued_token>
Alternative: Direct Header Authentication
Bypasses the token exchange. Useful for cURL, CLI tools, or simple scripts.
X-Gateway-Client-ID: your-app-uuid X-Gateway-Client-Secret: your-secure-secret
Why X-Gateway-Authorization? By using a custom header, the Gateway allows your upstream services to receive the original Authorization header (e.g., from an end-user) while the Gateway uses its own token for quota and rate-limit tracking.