What authentication methods does OCI API Gateway support?

OCI API Gateway supports JWT validation (validating tokens from any OIDC-compliant identity provider), custom authorizer functions (OCI Functions that implement custom authentication logic and return access decisions), and mutual TLS (mTLS) for certificate-based client authentication. You can combine these methods with request policies that enforce additional authorization checks based on JWT claims, headers, or query parameters.

How does API Gateway rate limiting work?

Rate limiting in OCI API Gateway is configured per deployment and applies to all routes within that deployment. You specify the rate in requests per second and can configure a burst limit for short traffic spikes. Rate limiting can be applied per client (identified by API key or IP address) or globally across all clients. When a client exceeds the rate limit, the gateway returns a 429 Too Many Requests response with a Retry-After header.

OCI API Gateway Config Builder

ServerlessOCI

Build OCI API Gateway deployment configurations with routes, auth, and rate limiting.

Last verified: May 2026

OCI API Gateway Configuration

Build API Gateway deployment configurations with routes, authentication, rate limiting, and CORS.

Required Fields

compartmentIddisplayNamepathPrefixspecification.routes

{
  "compartmentId": "ocid1.compartment.oc1..aaaaaaaexample",
  "gatewayId": "ocid1.apigateway.oc1.iad.aaaaaaaexample",
  "displayName": "order-api-deployment",
  "pathPrefix": "/v1",
  "specification": {
    "requestPolicies": {
      "authentication": {
        "type": "JWT_AUTHENTICATION",
        "isAnonymousAccessAllowed": false,
        "issuers": ["https://identity.oraclecloud.com/"],
        "audiences": ["https://api.example.com"],
        "tokenHeader": "Authorization",
        "tokenAuthScheme": "Bearer",
        "maxClockSkewInSeconds": 60,
        "publicKeys": {
          "type": "REMOTE_JWKS",
          "uri": "https://idcs-abc123.identity.oraclecloud.com/admin/v1/SigningCert/jwk",
          "maxCacheDurationInHours": 1
        }
      },
      "rateLimiting": {
        "rateInRequestsPerSecond": 100,
        "rateKey": "CLIENT_IP"
      },
      "cors": {
        "allowedOrigins": ["https://app.example.com"],
        "allowedMethods": ["GET", "POST", "PUT", "DELETE"],
        "allowedHeaders": ["Authorization", "Content-Type"],
        "maxAgeInSeconds": 3600
      }
    },
    "routes": [
      {
        "path": "/orders",
        "methods": ["GET", "POST"],
        "backend": {
          "type": "HTTP_BACKEND",
          "url": "http://10.0.10.5:8080/api/orders",
          "connectTimeoutInSeconds": 10,
          "readTimeoutInSeconds": 30,
          "sendTimeoutInSeconds": 30
        },
        "requestPolicies": {
          "authorization": {
            "type": "ANY_OF",
            "allowedScope": ["orders:read", "orders:write"]
          }
        }
      },
      {
        "path": "/orders/{orderId}",
        "methods": ["GET", "PUT", "DELETE"],
        "backend": {
          "type": "HTTP_BACKEND",
          "url": "http://10.0.10.5:8080/api/orders/${request.path[orderId]}"
        }
      },
      {
        "path": "/health",
        "methods": ["GET"],
        "backend": {
          "type": "STOCK_RESPONSE_BACKEND",
          "status": 200,
          "body": "{\"status\": \"healthy\"}",
          "headers": [
            {
              "name": "Content-Type",
              "value": "application/json"
            }
          ]
        },
        "requestPolicies": {
          "authorization": {
            "type": "ANONYMOUS"
          }
        }
      }
    ]
  },
  "freeformTags": {
    "api": "order-service"
  }
}

Generated Output

Output will appear here...

About This Tool

OCI API Gateway is a managed service for creating, publishing, and securing REST APIs that front-end your backend services, functions, and HTTP endpoints. Configuration involves defining deployments with route collections, authentication policies (JWT, custom authorizers), rate limiting, CORS settings, request/response transformations, and logging. This builder helps you assemble API Gateway deployment specifications with correct route paths, method mappings, backend types, and policy configurations. It generates JSON deployment specs compatible with the OCI CLI, Terraform, and the API Gateway REST API.

Real-World Scenario

Your team is building a B2B API to be consumed by 50 partner companies. Each partner needs JWT auth, per-partner rate limiting (100 req/s normal, 500 req/s premium tier), and request logging for billing. The builder generates a single deployment with: JWT validation against your IdP, rate-limit-by-key policy keyed on JWT 'sub' claim with overrides per premium-tier partner, execution logging to OCI Logging, and 5 routes mapped to OCI Functions backends. Total config time: 1 hour vs 4-6 hours hand-crafting the YAML and discovering schema errors at deploy time.

When to Use This Tool

•Building an API Gateway deployment with JWT authentication that validates tokens from an OCI Identity Domain or external IdP
•Configuring rate limiting policies per client to prevent API abuse while allowing higher limits for premium tier consumers
•Creating request transformation policies that add headers, modify query parameters, or rewrite paths before forwarding to backends
•Generating deployment specifications with multiple routes that fan out to OCI Functions, compute instances, and external HTTPS endpoints

Pro Tips

TIP

Custom authorizer functions add ~30-50ms of latency per request because the Gateway invokes a separate function before forwarding. For most JWT validation, prefer native JWT policy over a custom authorizer — it's faster, simpler, and well-tested. Reserve custom authorizers for genuinely complex auth (multi-IdP federation, fine-grained authorization rules).

TIP

Rate limit values are PER deployment, not per backend. If you've split your API across 3 deployments (e.g., for separate compartment ownership), you need to add up rate limits across them carefully — a 100 req/s limit on each = 300 req/s total at the backend.

TIP

Always enable execution logging on production deployments and route to OCI Logging. The default is logs OFF — meaning when something goes wrong, you have no record of what request hit which backend. The cost of execution logging is negligible compared to the cost of debugging blind.

How It Works Under the Hood

The builder constructs API Gateway deployment specs with route collections (path + methods + backend types: HTTP_BACKEND, ORACLE_FUNCTIONS_BACKEND, STOCK_RESPONSE_BACKEND), request policies (authentication via JWT or function, rate limiting, CORS, mutual TLS), logging policies, and request/response transformations. Output is a deployment spec JSON ready for `oci api-gateway deployment create` and Terraform oci_apigateway_deployment resources.

Frequently Asked Questions

What authentication methods does OCI API Gateway support?: OCI API Gateway supports JWT validation (validating tokens from any OIDC-compliant identity provider), custom authorizer functions (OCI Functions that implement custom authentication logic and return access decisions), and mutual TLS (mTLS) for certificate-based client authentication. You can combine these methods with request policies that enforce additional authorization checks based on JWT claims, headers, or query parameters.
How does API Gateway rate limiting work?: Rate limiting in OCI API Gateway is configured per deployment and applies to all routes within that deployment. You specify the rate in requests per second and can configure a burst limit for short traffic spikes. Rate limiting can be applied per client (identified by API key or IP address) or globally across all clients. When a client exceeds the rate limit, the gateway returns a 429 Too Many Requests response with a Retry-After header.

Related Learning Guides

OCI Security Best Practices24 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.