Modern organizations increasingly adopt microservices architectures to improve scalability, agility, and maintainability. While microservices offer significant benefits, they also introduce new challenges related to security, authentication, authorization, traffic management, and access control. As the number of services grows, implementing these concerns individually within each microservice becomes difficult to maintain and prone to inconsistencies.
An API gateway addresses these challenges by acting as a centralized entry point for client requests. Among the many API gateway solutions available today, Kong has emerged as one of the most popular choices due to its high performance, plugin ecosystem, and cloud-native design.
This article explores how to use Kong as an API gateway to centralize JWT authorization, rate limiting, and access control across a microservices architecture. We will examine the architecture, configuration steps, and practical coding examples to help you build a secure and scalable platform.
Understanding Kong API Gateway
Kong is an open-source API gateway built on top of Nginx. It sits between clients and backend services, handling cross-cutting concerns such as:
- Authentication
- Authorization
- Traffic control
- Request routing
- Logging
- Monitoring
- Rate limiting
- Security policies
Instead of implementing these capabilities inside every microservice, Kong centralizes them at the gateway layer.
A typical architecture looks like this:
Client Applications
|
v
+------------------+
| Kong Gateway |
+------------------+
| | |
v v v
User Order Payment
Svc Svc Svc
All incoming requests pass through Kong before reaching backend services.
Why Centralize Security and Access Management?
Without an API gateway, every microservice must:
- Validate JWT tokens
- Enforce rate limits
- Manage permissions
- Handle access policies
- Log security events
This leads to several issues:
- Duplicate code
- Inconsistent security policies
- Increased maintenance costs
- Difficult auditing
- Greater attack surface
Using Kong centralizes these concerns, allowing developers to focus on business logic.
Sample Microservices Environment
Assume we have three services:
user-service
order-service
payment-service
Each service runs independently.
Example Docker Compose snippet:
version: '3'
services:
user-service:
image: user-service:latest
ports:
- "3001:3001"
order-service:
image: order-service:latest
ports:
- "3002:3002"
payment-service:
image: payment-service:latest
ports:
- "3003:3003"
Kong will expose these services through a unified API endpoint.
Installing Kong
A simple Kong deployment can be started using Docker.
version: '3'
services:
kong:
image: kong:latest
environment:
KONG_DATABASE: "off"
KONG_DECLARATIVE_CONFIG: /kong.yml
volumes:
- ./kong.yml:/kong.yml
ports:
- "8000:8000"
- "8001:8001"
In this setup:
- Port 8000 handles API traffic.
- Port 8001 provides the Admin API.
Registering Services in Kong
Create a declarative configuration file.
_format_version: "3.0"
services:
- name: user-service
url: http://user-service:3001
- name: order-service
url: http://order-service:3002
- name: payment-service
url: http://payment-service:3003
Next, define routes.
routes:
- name: user-route
service: user-service
paths:
- /users
- name: order-route
service: order-service
paths:
- /orders
- name: payment-route
service: payment-service
paths:
- /payments
Now requests can be routed through Kong:
GET /users
GET /orders
GET /payments
Implementing JWT Authorization
JWT (JSON Web Token) authentication is one of the most common mechanisms used in microservices.
Instead of validating JWTs in every service, Kong can validate them once at the gateway.
Create a Consumer
A consumer represents a client application or user.
curl -i -X POST http://localhost:8001/consumers \
--data username=mobile-app
Response:
{
"username": "mobile-app"
}
Configure JWT Credentials
Generate JWT credentials for the consumer.
curl -i -X POST http://localhost:8001/consumers/mobile-app/jwt
Example response:
{
"key": "client-key",
"secret": "super-secret-key"
}
Store these values securely.
Enable JWT Plugin
Apply JWT authentication globally.
curl -X POST http://localhost:8001/plugins \
--data name=jwt
Or enable it for a specific route:
curl -X POST http://localhost:8001/routes/user-route/plugins \
--data name=jwt
Generate a JWT
Node.js example:
const jwt = require("jsonwebtoken");
const token = jwt.sign(
{
iss: "client-key",
role: "user"
},
"super-secret-key",
{
expiresIn: "1h"
}
);
console.log(token);
Generated token:
eyJhbGciOiJIUzI1Ni...
Access Protected APIs
GET /users
Authorization: Bearer eyJhbGciOiJIUzI1Ni...
Kong validates the token before forwarding the request.
Invalid tokens are automatically rejected.
Example response:
{
"message": "Unauthorized"
}
Passing User Identity to Microservices
After validation, Kong can forward JWT claims.
Node.js service example:
app.get("/users", (req, res) => {
const user = req.headers["x-consumer-username"];
res.json({
authenticatedUser: user
});
});
Microservices no longer need to perform JWT validation themselves.
They simply trust the gateway.
Centralizing Rate Limiting
Rate limiting protects APIs against:
- Abuse
- DDoS attacks
- Excessive consumption
- Resource exhaustion
Kong provides a built-in Rate Limiting plugin.
Applying a Global Rate Limit
Example:
curl -X POST http://localhost:8001/plugins \
--data name=rate-limiting \
--data config.minute=100
This allows:
100 requests per minute
for each consumer.
Applying Route-Specific Limits
For sensitive payment endpoints:
curl -X POST \
http://localhost:8001/routes/payment-route/plugins \
--data name=rate-limiting \
--data config.minute=20
Now payment APIs are restricted to:
20 requests per minute
Rate Limit Response
When the limit is exceeded:
{
"message": "API rate limit exceeded"
}
HTTP Status:
429 Too Many Requests
Advanced Rate Limiting
Example:
curl -X POST http://localhost:8001/plugins \
--data name=rate-limiting \
--data config.second=5 \
--data config.minute=100 \
--data config.hour=1000
This creates multiple protection layers.
Implementing Role-Based Access Control (RBAC)
Authentication identifies who a user is.
Authorization determines what they can access.
JWT claims can contain roles.
Example token payload:
{
"sub": "123",
"role": "admin"
}
or
{
"sub": "456",
"role": "customer"
}
Access Control Requirements
Suppose:
Admin:
- View users
- View orders
- View payments
Customer:
- View own orders
Kong can enforce access rules before traffic reaches services.
Using ACL Plugin
The Access Control List plugin enables group-based authorization.
Create Groups
Assign a consumer to a group.
curl -X POST \
http://localhost:8001/consumers/mobile-app/acls \
--data group=admins
Another consumer:
curl -X POST \
http://localhost:8001/consumers/web-app/acls \
--data group=customers
Enable ACL Plugin
Protect payment APIs.
curl -X POST \
http://localhost:8001/routes/payment-route/plugins \
--data name=acl \
--data config.allow=admins
Only administrators can access payment endpoints.
Customers receive:
{
"message": "You cannot consume this service"
}
Combining JWT and ACL
The strongest approach combines:
- JWT Authentication
- ACL Authorization
- Rate Limiting
Flow:
Client
|
JWT Validation
|
ACL Verification
|
Rate Limiting
|
Microservice
Requests must satisfy all security checks before reaching backend services.
Declarative Configuration Example
A complete Kong configuration:
_format_version: "3.0"
services:
- name: user-service
url: http://user-service:3001
routes:
- name: user-route
service: user-service
paths:
- /users
plugins:
- name: jwt
- name: rate-limiting
config:
minute: 100
- name: acl
config:
allow:
- admins
This creates a centralized security layer with minimal configuration.
Example Backend Service
Notice how the service contains no authentication logic.
const express = require("express");
const app = express();
app.get("/users", (req, res) => {
const username =
req.headers["x-consumer-username"];
res.json({
message: "Authorized access",
user: username
});
});
app.listen(3001);
Kong handles:
- Authentication
- Authorization
- Rate limiting
The service focuses only on business functionality.
Monitoring and Auditing
Centralized gateways improve observability.
Kong can log:
- Authentication failures
- Rate-limit violations
- Access denials
- Request metrics
- Latency statistics
Example logging plugin:
curl -X POST \
http://localhost:8001/plugins \
--data name=file-log \
--data config.path=/tmp/kong.log
Logged events help security teams:
- Detect attacks
- Investigate incidents
- Perform compliance audits
Best Practices
Use Short-Lived JWT Tokens
Recommended:
15 minutes to 1 hour
This reduces risk if tokens are compromised.
Protect the Admin API
Never expose:
8001
to the public internet.
Restrict it using:
- VPNs
- Firewalls
- Internal networks
Apply Different Limits Per Service
Example:
User API: 1000/min
Order API: 500/min
Payment API: 20/min
Sensitive services should have stricter controls.
Use HTTPS Everywhere
Encrypt traffic:
Client → Kong
Kong → Services
to protect tokens and user data.
Keep Business Authorization in Services
Kong should enforce coarse-grained access control.
Microservices should still verify:
Can user 123 view order 456?
Domain-specific rules belong inside the service.
Scaling Kong
Kong is designed for large-scale deployments.
Common production architecture:
Load Balancer
|
+-------------+
| Kong Node 1 |
+-------------+
| Kong Node 2 |
+-------------+
| Kong Node 3 |
+-------------+
|
Microservices
Benefits include:
- High availability
- Fault tolerance
- Horizontal scalability
- Consistent security enforcement
Organizations can scale gateway nodes independently from backend services.
Common Challenges
JWT Revocation
JWTs are stateless.
If a token must be revoked immediately, additional mechanisms such as token blacklists may be required.
Plugin Configuration Management
Large environments may contain hundreds of routes.
Use Infrastructure as Code practices to manage Kong configurations consistently.
Balancing Security and Performance
Excessive plugin usage can introduce latency.
Enable only the plugins necessary for each route.
Conclusion
Kong provides a powerful and efficient way to centralize security and traffic management within a microservices architecture. Rather than embedding authentication, authorization, and rate-limiting logic into every individual service, Kong allows these cross-cutting concerns to be handled consistently at the gateway layer. This approach dramatically reduces duplicated code, simplifies maintenance, and improves the overall security posture of an organization.
By implementing JWT authentication through Kong, organizations can establish a single source of trust for identity verification. Requests are validated once at the gateway, eliminating the need for every microservice to independently process and verify tokens. This not only improves consistency but also reduces computational overhead across backend services.
Rate limiting further strengthens the platform by protecting services from abuse, denial-of-service attacks, and excessive consumption. Because rate limits are enforced centrally, administrators can easily adjust policies without redeploying microservices. Different limits can be applied to different APIs based on business requirements and risk profiles.
The ACL plugin extends security even further by enabling centralized access control policies. Combined with JWT authentication, organizations can implement role-based access restrictions that ensure only authorized users and applications can reach sensitive endpoints. This creates a layered defense model where identity verification, authorization checks, and traffic controls work together before requests ever reach backend systems.
Perhaps the greatest advantage of Kong is its ability to separate infrastructure concerns from business logic. Backend developers can focus entirely on implementing application functionality while the gateway handles authentication, authorization, throttling, logging, monitoring, and routing. This separation improves developer productivity, simplifies service implementation, and leads to cleaner, more maintainable codebases.
As microservices ecosystems continue to grow in size and complexity, centralized API gateway patterns become increasingly important. Kong offers a mature, scalable, and production-ready solution that enables organizations to enforce security policies consistently across all services while maintaining high performance and operational flexibility. When properly configured with JWT authorization, rate limiting, and access control, Kong becomes a critical foundation for building secure, scalable, and manageable microservices platforms.