All Products
Search
Document Center

API Gateway:Global authentication

Last Updated:Jun 22, 2026

Cloud-native API Gateway supports multiple authentication methods to verify the identities of API callers at the gateway level.

In a microservices architecture, services are not directly exposed to external users (clients). Instead, a gateway sits between clients and services as a control point for access. The gateway authenticates incoming requests based on configurable access control policies.

Gateway authentication methods

Cloud-native API Gateway supports multiple authentication methods, including JSON Web Token (JWT) and custom authentication.

  • JSON Web Tokens (JWT)

    Cloud-native API Gateway provides a mechanism for authorized access to your APIs based on JWTs. You can use this mechanism to customize security settings. Cloud-native API Gateway verifies the identities of API callers and determines whether to return requested resources. Because tokens carry all necessary authentication information, applications do not need to store user authentication information or session information on the server side. This enables stateless, distributed authorization and facilitates application extension.

    For more information, see Configure JWT authentication.

  • OpenID Connect (OIDC)

    OIDC is an authentication protocol that allows third-party applications to obtain user identity information from identity providers securely. It extends OAuth 2.0 by adding an ID Token field that carries basic user identity data. The ID Token is encapsulated in JWT format, which provides a self-contained, tamper-proof mechanism that is easy to transmit and verify.

    For more information, see Configure OIDC authentication.

  • Custom authentication

    If client requests contain tokens in a custom format, the servers must call a unified authentication service to validate them. You can connect Cloud-native API Gateway with a custom authentication service to centrally manage authentication for all your backend services.

    For more information, see Configure custom authentication.