We're Hiring!

Approov Integration with Kong API Gateway

Sunset over a montain.


API Gateways have become very popular for deploying APIs at scale because they sit between the client and the API server backend This enables all kinds of integrations without the need to modify the API code itself, and that’s exactly what Kong API Gateway excels at.

Although the Kong API Gateway 1.0 was only announced at the first Kong summit in 2018, its history goes way back. Specifically, to the year 2009 at a small garage located in the beautiful country of Italy, from where Augusto, Marco and Michele founded Mashapps, a simple mashup platform. In 2011 Mashapps became Mashape, the first API marketplace, although it was not until 2015 that Mashape open-sourced Kong, and saw an impressive early adoption curve by the open source community.

The Kong API Gateway already supports several API Authentication methods, but they are not sufficient to prevent scripts which impersonate traffic from your mobile app from accessing your backend assets and services via your API. For such use cases, you need something purpose built to protect mobile businesses. We propose Approov, which you can see listed as a security integration in the Kong hub.

The integration of Approov with the Kong API Gateway will ensure that your API can only be accessed by genuine instances of your mobile app. Scripts and bots will be blocked. This is achieved by adding the Approov SDK to your mobile app, and does not require you to change a single line of code in the API itself. Implementing the Approov Token check in your Kong API Gateway couldn’t be easier because the token is a regular signed JWT. All you need is to use the native Kong JWT plugin to check the expire time and verify the signature with the secret only known by your Kong API Gateway and the Approov cloud service.

To enhance the protection of your API further, you can secure each request by using the Approov Token Binding plugin for Kong. This allows you to check the binding of a header in the request with the Approov token itself, for example the user authentication header.

Please follow this Quickstart guide to learn how to integrate Approov into your current Kong API Gateway.

If you have any questions around why or how to use Approov with the Kong API Gateway, don’t hesitate to contact us.


Photo by Mattia Serrani on Unsplash

Paulo Renato

Paulo Renato is known more often than not as paranoid about security. He strongly believes that all software should be secure by default. He thinks security should be always opt-out instead of opt-in and be treated as a first class citizen in the software development cycle, instead of an after thought when the product is about to be finished or released.