Quickstart: Protect your first API

In about 10 minutes, you can enforce authorization on an HTTP API with SecureAuth Connect without writing any application code. You run the standalone authorizer locally, import an API definition, attach a policy in the SecureAuth UI, and verify enforcement with curl.

Prerequisites

• A SecureAuth Connect tenant and a workspace.
• Docker 20+ and Docker Compose 1.29+.
• A terminal with curl.

How it fits

Your application asks the standalone authorizer whether each request is authorized. The authorizer holds the policy configuration it pulled from SecureAuth and returns allow or deny.

1. Create the standalone authorizer

1. In your SecureAuth workspace, go to Authorization > Gateways.
2. Select CREATE GATEWAY > Standalone. Give it a display name and description.
3. On the Quick Start tab, select Download Package. You get a zip with .env, credentials.txt, and docker-compose.yml.

2. Run the authorizer

Unzip the package and run:

cat credentials.txt | docker login docker.secureauth.com --username acp --password-stdin
docker-compose up

When you see standalone-authorizer listening on https://localhost:9004, the authorizer is running.

3. Import your API

Save this as apis.json:

{
  "api_groups": [{
    "name": "my-service",
    "id": "my-service",
    "apis": [
      { "path": "/orders", "method": "GET" },
      { "path": "/orders", "method": "POST" }
    ]
  }]
}

Import it:

curl -sSLk -X PUT https://localhost:9004/apis \
  --header "content-type: application/json" \
  --data @apis.json

Your APIs appear under the authorizer in the SecureAuth UI.

4. Attach a policy

1. In your workspace, go to Enforcement > APIs.
2. Find GET /orders, select Unrestricted, and choose a policy. For a first test, pick the built-in Block API policy.
3. Select Save.

5. Verify enforcement

Call the authorizer's validation endpoint:

curl -sSLk -X POST https://localhost:9004/request/validate \
  --header "content-type: application/json" \
  --data '{"api_group":"my-service","method":"GET","path":"/orders"}'

Expected response:

HTTP/1.1 403 Access Forbidden
{"status_code":403,"error":"request is not authorized","details":null}

You are enforcing authorization. Swap the Block API policy for any policy you author to apply real rules.

Next steps

• Replace Block API with a real policy: see How policies work and Authoring access policies using Rego or the visual editor.
• Pick the right access control model: see Access control models.
• Move from the standalone authorizer to Kong, Istio, or another gateway: see Authorizers.
• Ship to production: see Performance and scale and Policies as code and GitOps.
• Full standalone authorizer reference: Protecting APIs with the standalone authorizer.