Identity Guard
Identity Guard is Apiway’s layered security model. It goes beyond simple authentication to verify who is calling, what they’re allowed to access, and whether their subscription entitles them to the requested operation.
Three Security Layers
Section titled “Three Security Layers”Layer 1 — Partner Verification
Section titled “Layer 1 — Partner Verification”Before any request is processed, the gateway verifies the caller’s identity:
- JWT validation — Signature, expiry, issuer, audience
- Subscription check — Does this credential belong to an active subscription?
- Tenant verification — Is the calling organisation registered and in good standing?
Invalid or expired credentials are rejected immediately. No backend resources are consumed.
Layer 2 — Identity Filtering
Section titled “Layer 2 — Identity Filtering”Not every authenticated user should see everything. Identity filtering controls access based on context:
- Scopes — The JWT carries only the scopes the subscription entitles. Each operation requires specific scopes.
- Roles — Roles are bundles of scopes. A
payments-readerrole grants read operations;payments-admingrants write operations too. - Subscription tier — Different SLA tiers can entitle different operations. A Free tier might exclude bulk export endpoints.
Layer 3 — Entitlement Protection
Section titled “Layer 3 — Entitlement Protection”The finest-grained control — per-operation entitlement enforcement:
- The gateway reads the
SecurityCheckPolicyElementon each operation - Compares the JWT’s scopes against the operation’s required scopes
- Returns 403 if the caller lacks the required entitlement
- No database lookup at request time — everything is in the JWT
How It’s Enforced
Section titled “How It’s Enforced”All three layers execute in the gateway’s SecurityStage — a single pipeline step that runs before any backend call:
| Check | Failure Response |
|---|---|
| Invalid/expired token | 401 Unauthorized |
| Missing required scope | 403 Forbidden |
| Subscription inactive | 401 Unauthorized |
Enforcement is sub-millisecond. The gateway reads the JWT, checks scopes locally, and proceeds or rejects. No network calls, no database queries.
External Identity Providers
Section titled “External Identity Providers”Apiway integrates with external IdPs for user authentication:
| Provider | Integration |
|---|---|
| Azure AD B2C | Native integration via admin-service |
| Clerk | Supported via gateway’s open-id-jwt-auth-inbound policy |
| Any OIDC provider | Standard OpenID Connect discovery + JWKS validation |
You can configure different IdPs per environment — e.g., Clerk for the developer portal, Azure AD for internal users.
Credential Lifecycle
Section titled “Credential Lifecycle”Credentials are managed per subscription:
- Provisioned automatically when a subscription is approved
- Rotation — Generate new credentials without downtime; revoke old ones after migration
- Expiry tracking — Apiway monitors credential age and notifies consumers when rotation is recommended
- Gateway injection — For consumed external APIs, the gateway injects the provider’s credentials automatically
Revenue Protection
Section titled “Revenue Protection”Identity Guard isn’t just security — it protects revenue. Every request that bypasses authentication is an unmetered request:
- No authentication → no RU tracking → no billing
- Identity Guard ensures every request is tied to a subscription
- Unmetered consumption is impossible — the gateway rejects before the backend is reached