Sail

Authentication

Configure JWT Bearer and OpenID Connect authentication for your API gateway.

Authentication Policies

Sail supports dynamic authentication policies that can be applied to routes without restarting the gateway.

JWT Bearer Authentication

{
  "id": "jwt-policy",
  "scheme": "Bearer",
  "jwtBearerOptions": {
    "authority": "https://auth.example.com",
    "audience": "api://myapi",
    "requireHttpsMetadata": true
  }
}

Apply the policy to a route:

{
  "routeId": "protected-route",
  "clusterId": "backend-api",
  "authenticationPolicyId": "jwt-policy",
  "match": {
    "path": "/api/secure/{**catch-all}"
  }
}

OpenID Connect

{
  "id": "oidc-policy",
  "scheme": "OpenIdConnect",
  "openIdConnectOptions": {
    "authority": "https://login.example.com",
    "clientId": "sail-gateway",
    "clientSecret": "your-secret",
    "responseType": "code",
    "scopes": ["openid", "profile", "email"]
  }
}

Configuration Options

Authority

The URL of the identity provider that will validate tokens.

Audience

The expected audience value in the JWT token.

Token Validation

Configure issuer, lifetime, and signature validation parameters.

See also

âš¡ Rate Limiting

Protect your API with rate limiting