Skip to main content

Google Apigee API gateway

Community-contributed integration

This integration is community-maintained. Reference: ory/integrates/api-gateways/apigee.

Google Apigee is an enterprise API management platform. You can validate Ory-issued JWTs at the gateway layer with Apigee's VerifyJWT policy in a SharedFlow, using Ory Network's JWKS endpoint.

How it works

Apigee intercepts the API request, then the SharedFlow runs VerifyJWT against https://<project>.projects.oryapis.com/.well-known/jwks.json. When the JWT is valid, Apigee proxies the request to the backend. When it's invalid, Apigee returns a 401.

Set up the integration

  1. Create an Apigee SharedFlow with a VerifyJWT policy:
    • Algorithm: RS256.
    • PublicKey JWKS URL: https://<project>.projects.oryapis.com/.well-known/jwks.json.
    • Issuer: https://<project>.projects.oryapis.com.
    • Audience: your API's audience identifier (from Ory's OAuth2 client configuration).
  2. Attach the SharedFlow to your API proxy's PreFlow.
  3. Apigee caches the JWKS by URL. Tune CacheTTLInSeconds to balance freshness against KMS calls.

Notes

  • Use Apigee KVM (Key Value Map) to hold per-environment audience values without redeploying the shared flow.
  • For claim-based authorization, add an AssignMessage or JavaScript policy after VerifyJWT to inspect JWT claims.

Resources

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free