Skip to main content

APIM Gateways

An API Management (APIM) Gateway is a server that acts as a single entry point for all incoming API requests from clients (like mobile apps or websites) to your backend services.

By integrating ThunderID with your gateway, you can enforce authentication and authorization at the network boundary before requests ever reach your backend services.

ThunderID acts as the token authority: it issues signed JWT access tokens to authenticated clients, exposes a JWKS endpoint for public key distribution, and publishes an OpenID Connect discovery document. Your API gateway uses these to cryptographically verify every incoming token at the edge.

Select your API gateway to get a step-by-step integration guide with ThunderID.

Apache APISIXAzure API ManagementEnvoyKong KonnectKrakenD

How It Works

The integration follows the same pattern across all supported gateways:

ApplicationThunderIDAPI GatewayBackend API Request Access token Issue Access token API request+ Bearer token Call JWKS endpoint to validate token signature Forward request
  • Application obtains a token — A client application authenticates with ThunderID using the client credentials grant and receives a signed JWT.
  • Application calls the gateway — The client sends the JWT as a Bearer token in the Authorization header.
  • Gateway validates the token and enforces authorization — The gateway fetches ThunderID's JWKS (cached after the first request) and cryptographically verifies the token's signature, issuer, and expiry. Optionally, the gateway checks that the token carries the required permission scopes. Tokens missing required scopes are rejected with 403 Forbidden.
  • Gateway forwards the request — Valid, authorized requests are forwarded to the upstream service.
ThunderID LogoThunderID Logo

Product

DocsAPIsSDKs

Community

ContributingDiscussionsReport an Issue

Resources

ReleasesGitHubBrand Guidelines
© WSO2 LLC. All rights reserved.Privacy PolicyCookie Policy