Cloud-native API Gateway supports custom authorization services, centralizing access control at the gateway instead of integrating separately with each backend.
How custom authorization works
Servers secure APIs by validating tokens included in client requests.
-
If the token is a JWT, you can validate its signature anywhere using a public key, without calling a centralized service.
-
If the token uses a custom format, the server must call a centralized authorization service. Cloud-native API Gateway supports this scenario.
The following diagram shows the request flow when a gateway instance uses a custom authorization service.

-
The client sends an authentication request, such as a login operation, to the gateway.
-
The gateway forwards the authentication request directly to the authentication service.
-
The authentication service validates the credentials in the request, such as a username and password. If the validation is successful, it returns a token to the gateway, which then sends the token to the client.
-
The client sends a business request, such as an order operation on
/order, including the token obtained in the previous step. -
The gateway extracts the path (including query parameters), HTTP method, and token from the original request, then sends an authorization request to the custom service. Configure the token header in the gateway console. You can also include the original request body.
For example, if the authorization API is
/validateTokenand the original request path is/order, the authorization request path becomes/validateToken/order. -
When the authorization service receives the authorization request, it validates the token and can also authorize based on the original request path.
-
If your authorization service can modify the HTTP status code in its response, use the status code to indicate the authorization result.
-
A 200 status code means the request is authorized. The gateway forwards the original request to the backend service and returns the response to the client.
-
A 401 or 403 status code means the request is unauthorized. The gateway returns the authorization service response directly to the client.
-
-
If your authorization service must return HTTP 200 for all responses due to business constraints, use the built-in
x-mse-external-authz-check-resultHTTP header.-
The
x-mse-external-authz-check-resultresponse header istrue: the token is valid or has permission to access the backend resource. The gateway forwards the request to the backend and returns the response to the client. -
The
x-mse-external-authz-check-resultresponse header isfalse: the token is invalid or lacks permission. The gateway returns the authorization service response directly to the client.
-
-
Create a custom authorizer
Log on to the API Gateway console.
In the left-side navigation pane, click . In the top navigation bar, select a region.
-
On the Instance page, click the name of the target gateway instance.
-
In the left-side navigation pane, click .
-
On the Global Authentication page, click Create Authentication. In the Create Authentication panel, configure the parameters and click OK.
Parameter
DescriptionCustom Authentication Service
Enable
Enables or disables authorization for this gateway instance.
Authentication Name
A custom name for the authorization rule.
Authentication Type
Select Custom Authentication Service.
Authentication Service
The backend service that performs authorization. You can add services in the service management module. Add a service.
Note-
Only HTTP services are supported.
-
If a Kubernetes Service has multiple ports, the gateway uses the first port by default. To use a different port, create a separate Kubernetes Service in ACK that exposes only the target port.
Authentication API
The path of the authorization API. Requires a prefix match.
For example, if your authorization service is built with Spring MVC and exposes an authorization API at
/check, the following setting handles requests for/check/**:@RequestMapping("/check/**") public ResponseEntity<RestResult<String>> check(){}Token Location
The request header containing the token, such as
AuthorizationandCookie. You can select a header from the dropdown list by choosing Select or add one manually by choosing Add Manually.Allowed Headers in Authentication Rrequest
Headers from the original client request to pass to the authorization service.
NoteThe
Host,Method,Path, andContent-Lengthheaders are passed by default. You do not need to add them.Allowed Headers in Authentication Response
Headers from the authorization service response to add to the upstream request sent to the backend.
NoteIf a header specified here already exists in the client request, its value is overwritten.
Allow Body in Authentication Request
If you select Allow Body in Authentication Request, the authorization request includes the body of the original request.
Maximum Body Size specifies the maximum size of the request body that can be passed to the authorization service, in bytes.
Timeout Period
Maximum wait time for the authorization service response, in seconds. Default: 10 seconds.
Mode
Supports Loose and Strict modes. Loose mode is recommended.
-
Loose Mode: If the authorization service is unavailable (for example, fails to connect or returns a 5xx error), the gateway allows the client request to proceed.
-
Strict Mode: If the authorization service is unavailable, the gateway denies the client request.
Simple Conditions
On the right of Authorization, click Simple Conditions. This authorization mode supports Whitelist Mode and Blacklist Mode.
-
Whitelist Mode: Requests that match the hosts and paths in the allowlist bypass authorization. All other requests require authorization.
-
Blacklist Mode: Only requests that match the hosts and paths in the denylist require authorization. All other requests bypass authorization.
Click Rule Condition to set the request domain, path, and request headers.
-
Domain Name: The requested host.
-
Path: The requested API path.
-
Path Match Condition: The path supports exact match, prefix match, and regular expression match.
-
Exact Match: Enter a full path, such as
/app/v1/order. -
Prefix Match: Enter a path prefix ending with an asterisk (
*). For example, to match all requests that start with/app, enter/app/*. -
Regular Expression Match: The regular expression syntax follows the RE2 syntax standard.
Case sensitive: If you select this checkbox, the path matching becomes case-sensitive.
-
-
Header: The request header information. Click Request Header to add multiple header conditions. All conditions are joined by a logical AND.
-
HeaderKey: The name of the header field.
-
Condition: The match condition for the header.
-
Equals To: The value of the specified header key exactly matches the input value.
-
Does Not Equal To: The value of the specified header key does not match the input value.
-
Exists: The specified header key exists in the request.
-
Does Not Exist: The specified header key does not exist in the request.
-
Contains: The value of the specified header key contains the input value.
-
Excludes: The value of the specified header key does not contain the input value.
-
Prefix: The value of the specified header key starts with the input value.
-
Suffix: The value of the specified header key ends with the input value.
-
Regular Expression Match: The value of the specified header key matches the input regular expression. The syntax follows the RE2 syntax standard.
-
-
Value: The value of the header field to match against.
-
Complex Conditions
To the right of Authorization, click Complex Conditions.
This mode allows you to configure authorization rules with combined AND, OR, and NOT logic using a YAML configuration of Envoy's permission data structure. Authorization applies only when the configured conditions are met; other requests bypass authorization.
Note-
For a complete description of the permission data structure fields, see the official Envoy documentation.
-
For configuration examples, see Examples of complex condition authorization.
Return to the Global Authentication page. A rule is created when it appears in the list.
-
View and manage authorizers
Log on to the API Gateway console.
In the left-side navigation pane, click . In the top navigation bar, select a region.
-
On the Instance page, click the name of the target gateway instance.
-
In the left-side navigation pane, click .
-
On the Authentication page, find the target authorization rule and click Description in the Actions column. You can view the Basic Information and Authentication Configuration, and also manage the Authorization Information.

In the Authorization Information section, click Create Authorization. In the dialog box that appears, enter the Request Domain Name and Request Path, select a Match Mode, and then click OK to add a new authorization rule.
Related operations
You can manage gateway authorization rules as follows:
-
Enable authorization: On the Global Authentication page, find the target authorization rule and click Enable in the Actions column to activate the rule.
-
Disable authorization: On the Global Authentication page, find the target authorization rule and click Close in the Actions column to deactivate the rule.
-
Edit authorization: On the Global Authentication page, find the target authorization rule and click Edit in the Actions column to modify the rule.
-
Delete authorization: On the Global Authentication page, find the target authorization rule and click Delete in the Actions column to remove the rule.
You can delete an authorization rule only after it has been disabled.
Complex authorization examples
Regex domain matching
In this example, authorization applies only to requests to exampleA.com and exampleB.com that match a path prefix. The regular expression in the regex field must be an exact match, not a partial match.
In this case, a request to test.exampleA.com does not meet the condition and therefore bypasses authorization.
-
The regular expression syntax follows the RE2 syntax standard.
-
For a complete description of the permission data structure fields, see the official Envoy documentation.
permissions:
# and_rules: Authorization is performed if all of the following rules are met.
- and_rules:
rules:
- url_path:
# Match path prefix.
path:
prefix: /
- header:
# Match a regular expression.
safe_regex_match:
regex: "(exampleA\\.com|exampleB\\.com)"
# The :authority header can be used to get the domain name,
# following the HTTP pseudo-header specification.
name: ":authority"
Combining conditions with and, or, and not
The following logic determines when authorization is required:
-
Requests with the
exampleA.com/apiprefix require authorization, with the following exceptions:-
exampleA.com/api/appa/bbbdoes not require authorization. -
exampleA.com/api/appb/cccdoes not require authorization.
-
-
All requests to
exampleB.comrequire authorization, with the following exceptions:-
exampleB.com/api/appa/bbbdoes not require authorization. -
exampleB.com/api/appb/cccdoes not require authorization. -
Requests with the
exampleB.com/api/appcprefix do not require authorization, with the following exceptions:-
exampleB.com/api/appc/bbb/cccrequires authorization. -
exampleB.com/api/appc/ccc/dddrequires authorization.
-
-
The following diagram illustrates the logic:
The following YAML configuration corresponds to this logic:
permissions:
# or_rules: Authorization is performed if any of the following rules are met.
- or_rules:
rules:
# and_rules: This rule is met if all of the following sub-rules are met.
# Rule 1
- and_rules:
rules:
- url_path:
path:
exact: /api/appc/bbb/ccc
- header:
exact_match: "exampleB.com"
name: ":authority"
# Rule 2
- and_rules:
rules:
- url_path:
path:
exact: /api/appc/ccc/ddd
- header:
exact_match: "exampleB.com"
name: ":authority"
- and_rules:
rules:
# Rule 3
- url_path:
path:
prefix: /api/
# not_rule: This rule is met if the following condition is NOT met.
# Rule 4
- not_rule:
url_path:
path:
exact: /api/appa/bbb
# Rule 5
- not_rule:
url_path:
path:
exact: /api/appb/ccc
- header:
exact_match: "exampleA.com"
name: ":authority"
- and_rules:
rules:
# Rule 6
- url_path:
path:
prefix: /
# not_rule: This rule is met if the following condition is NOT met.
# Rule 7
- not_rule:
url_path:
path:
exact: /api/appa/bbb
# Rule 8
- not_rule:
url_path:
path:
exact: /api/appb/ccc
# Rule 9
- not_rule:
url_path:
path:
prefix: /api/appc/
- header:
exact_match: "exampleB.com"
name: ":authority"