Security

Apiway enforces security at the gateway — per operation, not per API. Every API deployed through the platform gets authentication and authorisation out of the box.

Secure by Default

If your OpenAPI specification defines no security schemes, Apiway applies them automatically:

• OAuth 2.0 client credentials flow is configured
• Each operation gets a scope based on its operationId
• Consumers receive a JWT with only the scopes their subscription entitles them to
• The gateway enforces scopes on every request

You don’t need to configure security manually unless you want to override the defaults.

Security Model

Per-operation enforcement. Security is driven by a SecurityCheckPolicyElement on each operation’s inbound policy pipeline — not by a single API-wide setting. This means different operations can have different security requirements.

No runtime lookups. The gateway doesn’t call a database to check permissions at request time. Scopes are embedded in the JWT, and the gateway verifies them locally. This keeps latency minimal.

Supported Authentication

Method	Use Case
OAuth 2.0 Client Credentials	Machine-to-machine, service accounts
OAuth 2.0 Authorization Code	User-facing applications
OAuth 2.0 PKCE	Single-page apps, mobile apps
API Keys	Simple integrations, development
JWT Bearer	Token-based access from external IdPs

Multiple authentication methods can coexist on the same API — even on the same operation.

OIDC Convenience Endpoints

When an API uses OAuth 2.0 security, Apiway’s gateway automatically exposes standard OpenID Connect endpoints:

Endpoint	Path
Discovery	/.well-known/openid-configuration
JWKS	/.well-known/jwks
Authorize	/oauth2/v2/authorize
User Info	/oauth2/v2/userinfo
Revoke	/oauth2/v2/revoke
Introspect	/oauth2/v2/introspect

These are generated automatically — you don’t need to implement them in your backend.

In This Section

• Authentication — OAuth flows and API key configuration
• Scopes & Entitlements — How permissions are modelled and enforced