Where authorization happens
SecureAuth Connect enforces authorization at many points across the request lifecycle, not just at the API edge. This page maps every enforcement point, what it guards, and which access control model fits each one.
Authorization enforcement on SecureAuth falls into two categories:
- In-platform enforcement, built into SecureAuth's own flows. Decisions happen inside the authorization server before a token is issued or a consent is recorded.
- External enforcement, handled by SecureAuth authorizers deployed near the resource: API gateways, service meshes, and the standalone authorizer.
The enforcement map
| Enforcement point | Category | What it guards | Typical model |
|---|---|---|---|
| Client application | In-platform | Who can sign in to an application and under what conditions | PBAC, RBAC |
| Authorization server (token issuance) | In-platform | Who can obtain a token, and which tokens are issued | PBAC, RBAC, scope-based |
| Scope grant | In-platform | Who can grant, request, or consent to a scope | Scope-based policies |
| Dynamic scope evaluation | In-platform | Per-resource scope approvals at issuance | Scope-based policies, PBAC |
| Rich Authorization Request (RAR) | In-platform | Transaction-specific authorization details at consent | PBAC, scope-based |
| API gateway authorizer | External | Requests hitting REST, HTTP, or WebSocket APIs behind a gateway | PBAC, RBAC, FGA |
| Service mesh authorizer | External | Service-to-service requests inside a mesh | PBAC, RBAC, FGA |
| Standalone authorizer | External | Any application or custom gateway that can call an external authorization service | PBAC, RBAC, FGA |
In-platform enforcement
In-platform enforcement happens inside SecureAuth before a token is issued or a consent is recorded. Use in-platform enforcement when you want the authorization decision to shape the token itself or the consent a user approves.
For detail on each in-platform enforcement point, see In-platform enforcement.
External enforcement
External enforcement happens at runtime, near the resource. SecureAuth authorizers pull policy configuration from the authorization server and evaluate it at the edge: at the API gateway, in the service mesh, or inside an application.
For the list of supported authorizers and integration links, see Authorizers.
Combining enforcement points
Most deployments combine in-platform and external enforcement. A token issued at the authorization server with scope-based policies can then be evaluated by a gateway authorizer for the specific API being called, and again by a service mesh authorizer for service-to-service hops. Because policies live in one place, you can express an end-to-end authorization model without duplicating logic across layers.