Gate is our identity-aware Edge Authorizer for APIs and workloads. Gate runs either as a proxy, as a sidecar or an Envoy-compatible ExtAuth authentication service. Gate works with existing API Gateway and reverse proxies (for example: Kong, Nginx, Envoy, AWS API Gateway) and performs identity-related operations on incoming traffic.
Gate is the fastest way to add authentication, authorization, and rate limiting to your APIs and workloads. Gate can also be used to enforce fine-grained authorization policies and modern authentication with passkeys for internal applications.
What you can use Gate for
This is a non-exhaustive list of use cases you can use Gate for:
- Add authentication, authorization, rate limiting and caching to your APIs
- Add phishing-resistant authentication and fine-grained authorization to internal applications without code changes
- Augment tokens with either some (based on context) or all /id attributes
- Augment tokens with custom claims from external sources
- Allow/Deny requests based on either /id groups or external IdP groups (RBAC)
- Allow/Deny requests based on the attributes. (ABAC)
- Authorization (OPA or custom rules). Both route-based and within the application logic
- Migrating tokens from some legacy system (eg: Laravel, Devise, Ping, and so on) to a new IdP
- Progressive migrations/interoperability of old systems with new ones
- Migration without invalidating sessions
- Centralizing AuthN and AuthZ audit-logs
- Monitor service accounts/identity requests for security hygiene
- Logging capabilities to improve product analytics and attribution
- Traffic inspection for data governance/DLP/PII detection
- Token/credentials blacklisting
- Session management
You can find a list of example use-cases of Gate on the Use cases page.
To check available installation options, please check the Installation page.
Check out the FAQ for more information.