Authorizers (external enforcement)
SecureAuth authorizers enforce authorization decisions at runtime, near the resource. Use authorizers to apply centrally managed policies at your API gateway, service mesh, or custom application without duplicating policy logic in each layer.
Each authorizer discovers APIs, pulls policy configuration from the SecureAuth authorization server, and evaluates incoming requests at the edge. Because policy management stays centralized, you get a uniform authorization strategy across gateways, meshes, and applications.
Supported authorizers
| Authorizer | Target platform | Integration guide |
|---|---|---|
| Kong Authorizer | Kong API Gateway (Enterprise and Open-source) | Adding authorization to Kong with Kubernetes and Helm |
| Istio Authorizer | Istio service mesh | Protecting APIs deployed behind Istio service mesh |
| Apigee Edge Authorizer | Apigee Edge | Protecting APIs on Apigee Edge Gateway |
| Apigee X Authorizer | Apigee X | Protecting APIs on Apigee X Gateway |
| AWS Authorizer | Amazon API Gateway (REST APIs) | Protecting APIs deployed behind AWS API Gateway |
| Azure Authorizer | Azure API Management | Protecting APIs on Azure API Gateway |
| Pyron Authorizer | Pyron API Gateway | Protecting APIs on Pyron API Gateway |
| Kusk Authorizer | Kusk API Gateway | Protecting APIs on Kusk Gateway |
| GraphQL protection | GraphQL services behind Istio | Protecting GraphQL APIs |
| Standalone Authorizer | Any application or custom gateway | Protecting APIs with the standalone authorizer |
How authorizers work
An authorizer is a SecureAuth component deployed alongside, or as part of, your gateway or mesh. It is responsible for two things:
- API discovery. The authorizer periodically queries the gateway for service and API definitions, so SecureAuth stays in sync with gateway configuration.
- Policy enforcement. When a request hits the gateway, the authorizer evaluates the request against the authorization policies assigned to that endpoint and returns an allow or deny decision.
For the architectural overview, see API Gateway authorization with SecureAuth.
Multi-tenant authorizers
Multi-tenant authorizers run in the system tenant and protect multi-tenant APIs in on-premise or private cloud deployments. Use a multi-tenant authorizer when you need to protect APIs that span multiple tenants with centrally administered policies. See API Gateway authorization with SecureAuth for deployment detail.
Standalone authorizer
The standalone authorizer provides external authorization for any application or custom gateway, without being tied to a specific product. Use it when your gateway or application can call an external authorization service over HTTP but does not match one of the native integrations. See Protecting APIs with the standalone authorizer.