All Products
Search
Document Center

API Gateway:Configure a custom authorizer

Last Updated:Jun 03, 2026

Cloud-native API Gateway supports custom authorization services, centralizing access control at the gateway instead of integrating separately with each backend.

How custom authorization works

Servers secure APIs by validating tokens included in client requests.

  • If the token is a JWT, you can validate its signature anywhere using a public key, without calling a centralized service.

  • If the token uses a custom format, the server must call a centralized authorization service. Cloud-native API Gateway supports this scenario.

The following diagram shows the request flow when a gateway instance uses a custom authorization service.

Request flow for Cloud-native API Gateway with custom authorization

  1. The client sends an authentication request, such as a login operation, to the gateway.

  2. The gateway forwards the authentication request directly to the authentication service.

  3. The authentication service validates the credentials in the request, such as a username and password. If the validation is successful, it returns a token to the gateway, which then sends the token to the client.

  4. The client sends a business request, such as an order operation on /order, including the token obtained in the previous step.

  5. The gateway extracts the path (including query parameters), HTTP method, and token from the original request, then sends an authorization request to the custom service. Configure the token header in the gateway console. You can also include the original request body.

    For example, if the authorization API is /validateToken and the original request path is /order, the authorization request path becomes /validateToken/order.

  6. When the authorization service receives the authorization request, it validates the token and can also authorize based on the original request path.

    • If your authorization service can modify the HTTP status code in its response, use the status code to indicate the authorization result.

      • A 200 status code means the request is authorized. The gateway forwards the original request to the backend service and returns the response to the client.

      • A 401 or 403 status code means the request is unauthorized. The gateway returns the authorization service response directly to the client.

    • If your authorization service must return HTTP 200 for all responses due to business constraints, use the built-in x-mse-external-authz-check-result HTTP header.

      • The x-mse-external-authz-check-result response header is true: the token is valid or has permission to access the backend resource. The gateway forwards the request to the backend and returns the response to the client.

      • The x-mse-external-authz-check-result response header is false: the token is invalid or lacks permission. The gateway returns the authorization service response directly to the client.

Create a custom authorizer

  1. Log on to the API Gateway console.

  2. In the left-side navigation pane, click Cloud-native API Gateway > Instance. In the top navigation bar, select a region.

  3. On the Instance page, click the name of the target gateway instance.

  4. In the left-side navigation pane, click Security Management > Global Authentication.

  5. On the Global Authentication page, click Create Authentication. In the Create Authentication panel, configure the parameters and click OK.

    Parameter

    DescriptionCustom Authentication Service

    Enable

    Enables or disables authorization for this gateway instance.

    Authentication Name

    A custom name for the authorization rule.

    Authentication Type

    Select Custom Authentication Service.

    Authentication Service

    The backend service that performs authorization. You can add services in the service management module. Add a service.

    Note
    • Only HTTP services are supported.

    • If a Kubernetes Service has multiple ports, the gateway uses the first port by default. To use a different port, create a separate Kubernetes Service in ACK that exposes only the target port.

    Authentication API

    The path of the authorization API. Requires a prefix match.

    For example, if your authorization service is built with Spring MVC and exposes an authorization API at /check, the following setting handles requests for /check/**:

    @RequestMapping("/check/**")
    public ResponseEntity<RestResult<String>> check(){}

    Token Location

    The request header containing the token, such as Authorization and Cookie. You can select a header from the dropdown list by choosing Select or add one manually by choosing Add Manually.

    Allowed Headers in Authentication Rrequest

    Headers from the original client request to pass to the authorization service.

    Note

    The Host, Method, Path, and Content-Length headers are passed by default. You do not need to add them.

    Allowed Headers in Authentication Response

    Headers from the authorization service response to add to the upstream request sent to the backend.

    Note

    If a header specified here already exists in the client request, its value is overwritten.

    Allow Body in Authentication Request

    If you select Allow Body in Authentication Request, the authorization request includes the body of the original request.

    Maximum Body Size specifies the maximum size of the request body that can be passed to the authorization service, in bytes.

    Timeout Period

    Maximum wait time for the authorization service response, in seconds. Default: 10 seconds.

    Mode

    Supports Loose and Strict modes. Loose mode is recommended.

    • Loose Mode: If the authorization service is unavailable (for example, fails to connect or returns a 5xx error), the gateway allows the client request to proceed.

    • Strict Mode: If the authorization service is unavailable, the gateway denies the client request.

    Simple Conditions

    On the right of Authorization, click Simple Conditions. This authorization mode supports Whitelist Mode and Blacklist Mode.

    • Whitelist Mode: Requests that match the hosts and paths in the allowlist bypass authorization. All other requests require authorization.

    • Blacklist Mode: Only requests that match the hosts and paths in the denylist require authorization. All other requests bypass authorization.

    Click Rule Condition to set the request domain, path, and request headers.

    • Domain Name: The requested host.

    • Path: The requested API path.

    • Path Match Condition: The path supports exact match, prefix match, and regular expression match.

      • Exact Match: Enter a full path, such as /app/v1/order.

      • Prefix Match: Enter a path prefix ending with an asterisk (*). For example, to match all requests that start with /app, enter /app/*.

      • Regular Expression Match: The regular expression syntax follows the RE2 syntax standard.

      Case sensitive: If you select this checkbox, the path matching becomes case-sensitive.

    • Header: The request header information. Click Request Header to add multiple header conditions. All conditions are joined by a logical AND.

      • HeaderKey: The name of the header field.

      • Condition: The match condition for the header.

        • Equals To: The value of the specified header key exactly matches the input value.

        • Does Not Equal To: The value of the specified header key does not match the input value.

        • Exists: The specified header key exists in the request.

        • Does Not Exist: The specified header key does not exist in the request.

        • Contains: The value of the specified header key contains the input value.

        • Excludes: The value of the specified header key does not contain the input value.

        • Prefix: The value of the specified header key starts with the input value.

        • Suffix: The value of the specified header key ends with the input value.

        • Regular Expression Match: The value of the specified header key matches the input regular expression. The syntax follows the RE2 syntax standard.

      • Value: The value of the header field to match against.

    Complex Conditions

    To the right of Authorization, click Complex Conditions.

    This mode allows you to configure authorization rules with combined AND, OR, and NOT logic using a YAML configuration of Envoy's permission data structure. Authorization applies only when the configured conditions are met; other requests bypass authorization.

    Note

    Return to the Global Authentication page. A rule is created when it appears in the list.

View and manage authorizers

  1. Log on to the API Gateway console.

  2. In the left-side navigation pane, click Cloud-native API Gateway > Instance. In the top navigation bar, select a region.

  3. On the Instance page, click the name of the target gateway instance.

  4. In the left-side navigation pane, click Security Management > Global Authentication.

  5. On the Authentication page, find the target authorization rule and click Description in the Actions column. You can view the Basic Information and Authentication Configuration, and also manage the Authorization Information.

    image

    In the Authorization Information section, click Create Authorization. In the dialog box that appears, enter the Request Domain Name and Request Path, select a Match Mode, and then click OK to add a new authorization rule.

Related operations

You can manage gateway authorization rules as follows:

  • Enable authorization: On the Global Authentication page, find the target authorization rule and click Enable in the Actions column to activate the rule.

  • Disable authorization: On the Global Authentication page, find the target authorization rule and click Close in the Actions column to deactivate the rule.

  • Edit authorization: On the Global Authentication page, find the target authorization rule and click Edit in the Actions column to modify the rule.

  • Delete authorization: On the Global Authentication page, find the target authorization rule and click Delete in the Actions column to remove the rule.

Note

You can delete an authorization rule only after it has been disabled.

Complex authorization examples

Regex domain matching

In this example, authorization applies only to requests to exampleA.com and exampleB.com that match a path prefix. The regular expression in the regex field must be an exact match, not a partial match.

In this case, a request to test.exampleA.com does not meet the condition and therefore bypasses authorization.

Note
permissions:
# and_rules: Authorization is performed if all of the following rules are met.
- and_rules:
    rules:
      - url_path:
          # Match path prefix.
          path:
            prefix: /
      - header:
          # Match a regular expression.
          safe_regex_match:
            regex: "(exampleA\\.com|exampleB\\.com)"
          # The :authority header can be used to get the domain name,
          # following the HTTP pseudo-header specification.
          name: ":authority"

Combining conditions with and, or, and not

The following logic determines when authorization is required:

  1. Requests with the exampleA.com/api prefix require authorization, with the following exceptions:

    1. exampleA.com/api/appa/bbb does not require authorization.

    2. exampleA.com/api/appb/ccc does not require authorization.

  2. All requests to exampleB.com require authorization, with the following exceptions:

    1. exampleB.com/api/appa/bbb does not require authorization.

    2. exampleB.com/api/appb/ccc does not require authorization.

    3. Requests with the exampleB.com/api/appc prefix do not require authorization, with the following exceptions:

      1. exampleB.com/api/appc/bbb/ccc requires authorization.

      2. exampleB.com/api/appc/ccc/ddd requires authorization.

The following diagram illustrates the logic:

The following YAML configuration corresponds to this logic:

permissions:
# or_rules: Authorization is performed if any of the following rules are met.
- or_rules:
    rules:
      # and_rules: This rule is met if all of the following sub-rules are met.
      # Rule 1
      - and_rules:
          rules:
            - url_path:
                path:
                  exact: /api/appc/bbb/ccc
            - header:
                exact_match: "exampleB.com"
                name: ":authority"
      # Rule 2
      - and_rules:
          rules:
            - url_path:
                path:
                  exact: /api/appc/ccc/ddd
            - header:
                exact_match: "exampleB.com"
                name: ":authority"
      - and_rules:
          rules:
            # Rule 3
            - url_path:
                path:
                  prefix: /api/
            # not_rule: This rule is met if the following condition is NOT met.
            # Rule 4
            - not_rule:
                url_path:
                  path:
                    exact: /api/appa/bbb
            # Rule 5
            - not_rule:
                url_path:
                  path:
                    exact: /api/appb/ccc
            - header:
                exact_match: "exampleA.com"
                name: ":authority"
      - and_rules:
          rules:
            # Rule 6
            - url_path:
                path:
                  prefix: /
            # not_rule: This rule is met if the following condition is NOT met.
            # Rule 7
            - not_rule:
                url_path:
                  path:
                    exact: /api/appa/bbb
            # Rule 8
            - not_rule:
                url_path:
                  path:
                    exact: /api/appb/ccc
            # Rule 9
            - not_rule:
                url_path:
                  path:
                    prefix: /api/appc/
            - header:
                exact_match: "exampleB.com"
                name: ":authority"