What authentication methods does OCI API Gateway support?

OCI API Gateway supports JWT validation (validating tokens from any OIDC-compliant identity provider), custom authorizer functions (OCI Functions that implement custom authentication logic and return access decisions), and mutual TLS (mTLS) for certificate-based client authentication. You can combine these methods with request policies that enforce additional authorization checks based on JWT claims, headers, or query parameters.

How does API Gateway rate limiting work?

Rate limiting in OCI API Gateway is configured per deployment and applies to all routes within that deployment. You specify the rate in requests per second and can configure a burst limit for short traffic spikes. Rate limiting can be applied per client (identified by API key or IP address) or globally across all clients. When a client exceeds the rate limit, the gateway returns a 429 Too Many Requests response with a Retry-After header.

OCI API Gateway Config Builder

ServerlessOCI

Build OCI API Gateway deployment configurations with routes, auth, and rate limiting.

OCI API Gateway Configuration

Build API Gateway deployment configurations with routes, authentication, rate limiting, and CORS.

Required Fields

compartmentIddisplayNamepathPrefixspecification.routes

{
  "compartmentId": "ocid1.compartment.oc1..aaaaaaaexample",
  "gatewayId": "ocid1.apigateway.oc1.iad.aaaaaaaexample",
  "displayName": "order-api-deployment",
  "pathPrefix": "/v1",
  "specification": {
    "requestPolicies": {
      "authentication": {
        "type": "JWT_AUTHENTICATION",
        "isAnonymousAccessAllowed": false,
        "issuers": ["https://identity.oraclecloud.com/"],
        "audiences": ["https://api.example.com"],
        "tokenHeader": "Authorization",
        "tokenAuthScheme": "Bearer",
        "maxClockSkewInSeconds": 60,
        "publicKeys": {
          "type": "REMOTE_JWKS",
          "uri": "https://idcs-abc123.identity.oraclecloud.com/admin/v1/SigningCert/jwk",
          "maxCacheDurationInHours": 1
        }
      },
      "rateLimiting": {
        "rateInRequestsPerSecond": 100,
        "rateKey": "CLIENT_IP"
      },
      "cors": {
        "allowedOrigins": ["https://app.example.com"],
        "allowedMethods": ["GET", "POST", "PUT", "DELETE"],
        "allowedHeaders": ["Authorization", "Content-Type"],
        "maxAgeInSeconds": 3600
      }
    },
    "routes": [
      {
        "path": "/orders",
        "methods": ["GET", "POST"],
        "backend": {
          "type": "HTTP_BACKEND",
          "url": "http://10.0.10.5:8080/api/orders",
          "connectTimeoutInSeconds": 10,
          "readTimeoutInSeconds": 30,
          "sendTimeoutInSeconds": 30
        },
        "requestPolicies": {
          "authorization": {
            "type": "ANY_OF",
            "allowedScope": ["orders:read", "orders:write"]
          }
        }
      },
      {
        "path": "/orders/{orderId}",
        "methods": ["GET", "PUT", "DELETE"],
        "backend": {
          "type": "HTTP_BACKEND",
          "url": "http://10.0.10.5:8080/api/orders/${request.path[orderId]}"
        }
      },
      {
        "path": "/health",
        "methods": ["GET"],
        "backend": {
          "type": "STOCK_RESPONSE_BACKEND",
          "status": 200,
          "body": "{\"status\": \"healthy\"}",
          "headers": [
            {
              "name": "Content-Type",
              "value": "application/json"
            }
          ]
        },
        "requestPolicies": {
          "authorization": {
            "type": "ANONYMOUS"
          }
        }
      }
    ]
  },
  "freeformTags": {
    "api": "order-service"
  }
}

Generated Output

Output will appear here...

About This Tool

OCI API Gateway is a managed service for creating, publishing, and securing REST APIs that front-end your backend services, functions, and HTTP endpoints. Configuration involves defining deployments with route collections, authentication policies (JWT, custom authorizers), rate limiting, CORS settings, request/response transformations, and logging. This builder helps you assemble API Gateway deployment specifications with correct route paths, method mappings, backend types, and policy configurations. It generates JSON deployment specs compatible with the OCI CLI, Terraform, and the API Gateway REST API.

When to Use This Tool

•Building an API Gateway deployment with JWT authentication that validates tokens from an OCI Identity Domain or external IdP
•Configuring rate limiting policies per client to prevent API abuse while allowing higher limits for premium tier consumers
•Creating request transformation policies that add headers, modify query parameters, or rewrite paths before forwarding to backends
•Generating deployment specifications with multiple routes that fan out to OCI Functions, compute instances, and external HTTPS endpoints

Frequently Asked Questions

What authentication methods does OCI API Gateway support?: OCI API Gateway supports JWT validation (validating tokens from any OIDC-compliant identity provider), custom authorizer functions (OCI Functions that implement custom authentication logic and return access decisions), and mutual TLS (mTLS) for certificate-based client authentication. You can combine these methods with request policies that enforce additional authorization checks based on JWT claims, headers, or query parameters.
How does API Gateway rate limiting work?: Rate limiting in OCI API Gateway is configured per deployment and applies to all routes within that deployment. You specify the rate in requests per second and can configure a burst limit for short traffic spikes. Rate limiting can be applied per client (identified by API key or IP address) or globally across all clients. When a client exceeds the rate limit, the gateway returns a 429 Too Many Requests response with a Retry-After header.

Related Learning Guides

OCI Security Best Practices24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.