Skip to main content

API authorization

API authorization controls who can access your APIs and what they can do, independent of which gateway you use. The guides in this section cover different patterns, from simple scope checks to policy-based decisions, so you can pick the approach that fits your application.

💡 Why this matters
The right authorization pattern helps you enforce business rules like "managers can approve over $1000" or "users can only see their own data."

Common patterns:

  • Dynamic Scopes - Rules that adapt based on user context
  • OPA Policies - Complex authorization rules using Rego language
  • Metadata - Decisions based on application or developer attributes
  • GraphQL - Field-level authorization for GraphQL APIs

Need to set up your gateway first? See API Gateway Integrations for gateway-specific setup.