Envoy
Community-contributed integration
This integration is community-maintained. Reference: ory/integrates/api-gateways/envoy.
Envoy is a CNCF cloud-native L7 proxy, the data plane behind many service meshes and API gateways.
You can validate Ory-issued JWTs or Ory Identities (Kratos) sessions at the Envoy layer. Use the native jwt_authn filter for
OAuth2 access tokens from Ory OAuth2 & OpenID Connect (Hydra), or the ext_authz filter to delegate to Ory Oathkeeper or a
small validator for session checks.
Two paths
Path A: OAuth2 access token validation (jwt_authn filter)
To validate JWTs issued by Ory OAuth2 & OpenID Connect:
- Add the
jwt_authnHTTP filter to the listener's filter chain. - Define a provider with these values:
- Set
remote_jwks.http_uritohttps://<project>.projects.oryapis.com/.well-known/jwks.json. - Set
issuerto your Ory project URL. - Set
audiencesto the API's audience identifier from the Ory OAuth2 client.
- Set
- Envoy caches the JWKS and refreshes it on
cache_duration. - Optionally, forward verified claims upstream via
payload_in_metadatafor downstream authorization.
Path B: Ory Identities session validation (ext_authz filter)
To validate end-user session cookies or tokens from Ory Identities:
- Add the
ext_authzHTTP filter pointing at Ory Oathkeeper or a small validator service. - The authorizer calls
https://<project>.projects.oryapis.com/sessions/whoamiwith the session cookie. - On a 200, inject identity headers downstream (
X-User-Id,X-User-Email) and forward the request. On a 401, reject it at the edge.
Notes
- The same configuration applies whether Envoy runs standalone, as an Istio sidecar or gateway, or as the data plane under a managed gateway.
- For session checks, cache the
whoamiresult per session to avoid sending a request to Ory on every call. - Tetrate Agent Router Enterprise is built on Envoy AI Gateway and applies this token-at-the-edge pattern to AI-agent traffic.
Resources
- Envoy
- Reference: ory/integrates/api-gateways/envoy
