Authentication & Authorization - FluxGate
Open-source API gateway for microservices
Security Architecture
Authentication Methods Overview
FluxGate enforces zero-trust principles by validating every inbound request before routing to downstream microservices. Our gateway supports three primary identity verification strategies tailored for enterprise-grade workloads.
JSON Web Tokens (JWT)
Stateless bearer token validation using RS256/ES256 signatures. Integrates seamlessly with Auth0, Okta, and Keycloak via JWKS endpoint polling every 300 seconds.
OAuth 2.0 / OIDC
Full authorization code flow with PKCE enforcement. Supports scope mapping, audience validation, and automatic token refresh for long-running WebSocket connections.
API Keys
Header and query-parameter based key verification with HMAC-SHA256 signing. Includes rate-limiting quotas, IP allowlisting, and automatic key rotation policies.
Token Validation
JWT Configuration Setup
Deploy stateless authentication by pointing FluxGate to your identity provider's JWKS endpoint. The gateway caches signing keys in-memory and validates token claims against route-level policies.
Navigate to your route definition in `fluxgate.yaml` and attach the `jwt` middleware. Specify the `issuer`, `audience`, and `clockSkewTolerance` (default 60s). FluxGate automatically rejects expired tokens and enforces strict `nbf` (not before) checks.
middleware:
- jwt:
issuer: https://auth.stripe.com
audience: payments-api
jwks_uri: https://auth.stripe.com/.well-known/jwks.json
Federated Identity
OAuth 2.0 Authorization Flow
Secure third-party integrations and user-facing applications using the OAuth 2.0 authorization code flow. FluxGate acts as a resource server, delegating authentication to your configured authorization server.
Configure the `oauth2` interceptor with your client ID, redirect URI, and token introspection endpoint. Enable PKCE by setting `codeChallengeMethod: S256`. The gateway validates the `access_token` against the token endpoint and maps OAuth scopes to FluxGate route permissions using the `scope:route` mapping table.
Service-to-Service Auth
API Key Management
Implement machine-to-machine authentication using cryptographically signed API keys. Ideal for backend microservices, CI/CD pipelines, and legacy system integrations that require deterministic access control.
Generate keys via the FluxGate CLI or console dashboard. Each key is scoped to specific routes and enforces daily request quotas. Keys automatically expire after 90 days unless explicitly renewed. Rotate keys using the `fluxctl keys rotate` command to maintain zero-downtime credential updates.