hello@fluxgate.dev v2.4.1 — All systems operational
GitHub | Discord
Read Docs Get Started
Authentication | FluxGate Docs

Secure Every Request

High-Performance API Gateway for Microservices

Configure API Keys View JWT Setup

API Key Header Validation

Enforce strict header-based authentication for internal services and partner integrations.

FluxGate intercepts inbound traffic and validates the X-FluxGate-API-Key header against your encrypted vault. Misconfigured keys trigger a 401 Unauthorized response with a standardized JSON error payload containing trace IDs for debugging.

  • Header Rotation Automatically invalidate keys after 90 days or 10,000 requests to limit exposure windows.
  • Rate Limiting Tiers Bind key scopes to specific throughput limits (e.g., 500 req/min for staging, 5,000 req/min for production).
  • IP Allowlisting Restrict key usage to known CIDR blocks like 10.0.4.0/24 or partner VPC endpoints. 
fluxgate:
  auth:
    api_key:
      enabled: true
      header_name: "X-FluxGate-API-Key"
      vault_path: "secret/data/api-keys"
      validation:
        algorithm: "HMAC-SHA256"
        max_age: 7776000s
        fallback_action: "reject"
        error_response:
          status: 401
          body: '{"error": "invalid_api_key", "trace_id": "{{.TraceID}}"}'

JWT Secret Management

Handle token issuance, signature verification, and claims mapping without exposing private keys.

The JWT plugin supports RS256 and ES384 algorithms. FluxGate fetches public keys from your JWKS endpoint and caches them for 300 seconds to reduce verification latency. Private keys for signing are never stored in configuration files or environment variables.

  • Dynamic JWKS Polling Auto-refreshes signing keys when your identity provider rotates them, preventing downtime during key cycles.
  • Claims Enforcement Reject tokens missing required scopes like read:invoices or admin:deploy before routing.
  • Clock Skew Tolerance Configurable leeway (default 120s) to accommodate distributed system time drift across regions. 
fluxgate:
  auth:
    jwt:
      enabled: true
      jwks_uri: "https://auth.fluxgate.io/.well-known/jwks.json"
      cache_ttl: 300s
      validation:
        issuer: "https://auth.fluxgate.io"
        audience: "api.fluxgate.io"
        required_claims: ["sub", "scope", "exp"]
        clock_skew: 120s
        algorithm: "RS256"

OAuth2 Callback Handling

Securely process authorization codes, exchange tokens, and manage session state.

FluxGate acts as a confidential client for OAuth2/OIDC flows. It generates cryptographically secure state parameters to prevent CSRF attacks and handles the token exchange with providers like Auth0, Okta, or AWS Cognito.

  • State Parameter Validation Matches callback state against encrypted cookies stored in the gateway session store.
  • Token Caching Stores access tokens in Redis with automatic refresh triggered 60 seconds before expiry.
  • Redirect URI Whitelisting Enforces exact matches for callback paths like /auth/callback to prevent open redirect vulnerabilities. 
fluxgate:
  auth:
    oauth2:
      enabled: true
      client_id: "fluxgate-gateway-prod"
      client_secret_ref: "vault:secret/data/oauth2#client_secret"
      authorization_url: "https://accounts.google.com/o/oauth2/v2/auth"
      token_url: "https://oauth2.googleapis.com/token"
      callback:
        path: "/auth/callback"
        state_ttl: 600s
        redirect_success: "/dashboard"
        redirect_failure: "/login?error=auth_failed"
        scopes: ["openid", "profile", "email"]