Implementation and Support
      Back to home
      1. Approov Mobile Security Knowledge Base
      2. Implementation and Support

      Integrating Approov With Akamai API Gateway and Kona Site Defender

      The mobile app visibility and protection provided by Approov enhances the backend security already deployed in Akamai app sec, providing a reliable way to stop any mobile bot traffic. This article shows step-by-step how to do it.

      Introduction

      Backend app sec gives you web bot detection and behavioral detection, and Approov’s expertise in mobile API security gives you app and device visibility and attestation. In hybrid environments where users interact with both a web app and a mobile app, using backend app security for web protection and Approov for mobile API security ensures that bots cannot simply shift from web to mobile APIs.

      Approov can work with any backend security solution because the result of the app and device attestation analysis is captured in a standard JWT token, integrated into every request. This makes the backend API checking straightforward since almost all backend app security solutions (and any languages and technologies) support JWT checking.

      All you need to do is integrate the lightweight platform-specific Approov SDK with your app and then start checking Approov tokens. For the mobile app integration, there are SDK quickstarts available for native or cross-platform apps on iOS, Android and HarmonyOS.

      This layered approach covers multiple entry points while isolating security strategies based on interaction type, ensuring more precise control over legitimate and illegitimate access.

      For backend integration, again a range of  back end quickstarts are available. 

      If there isn't already a quickstart for an integration you need, we provide other tools to make it easy for you to do it yourself or you can talk to us about what you need.

      This article gives a step by step guide to integration with Akamai API Gateway and Kona Site Defender (KSD).

      Step by Step Guide to Integrating Approov with Akamai's API Gateway and Kona Site Defender (KSD) 

      Integrating Approov token checking with Akamai’s API Security solution focuses on validating Approov tokens at the Akamai edge before the requests are passed to your origin servers. Akamai's API Gateway and Kona Site Defender (KSD) offer powerful request filtering and header validation, which can be leveraged to enforce Approov attestation-based protection.

      Below are the detailed integration steps:

       Integration Goal

      Prevent unauthorized or malicious API access by allowing only requests from genuine, untampered mobile apps verified through Approov tokens — at the Akamai edge.

      Prerequisites

      • Approov SDK integrated into your mobile app.
      • Approov tokens (JWTs) are included in requests via the Approov-Token HTTP header.
      • Akamai EdgeWorkers or Advanced Behaviors in Property Manager enabled.
      • Shared Approov secret key securely stored (for token validation).
      • Optionally: a custom validation service for deeper inspection of Approov tokens.

      Integration Options

      Option 1: Using Akamai EdgeWorkers (Recommended)

      EdgeWorkers allow running JavaScript at the edge, ideal for JWT validation.

      Steps:

      1. Create an EdgeWorker to Validate Approov Tokens

      • The EdgeWorker should:

        • Extract the Approov-Token from the request headers.
        • Verify the JWT using the shared secret (HS256).
        • Optionally inspect token claims like exp, sub, did, etc.
        • Reject requests with 403 if the token is missing, expired, or invalid.

      Sample (Node-style pseudocode for EdgeWorker):

      javascript

      CopyEdit

      import { createHmac } from 'crypto';


      export function onClientRequest(request) {

        const token = request.getHeader('Approov-Token');

        if (!token) {

          request.respondWith(403, {}, 'Missing Approov token');

          return;

        }


        const parts = token.split('.');

        if (parts.length !== 3) {

          request.respondWith(403, {}, 'Malformed token');

          return;

        }


        const header = JSON.parse(Buffer.from(parts[0], 'base64').toString());

        const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());


        const hmac = createHmac('sha256', SHARED_APPROOV_SECRET)

                      .update(`${parts[0]}.${parts[1]}`)

                      .digest('base64url');


        if (hmac !== parts[2]) {

          request.respondWith(403, {}, 'Invalid signature');

          return;

        }


        const now = Math.floor(Date.now() / 1000);

        if (payload.exp < now) {

          request.respondWith(403, {}, 'Token expired');

          return;

        }


        // Token is valid — continue to origin

      }


      Store SHARED_APPROOV_SECRET securely using Akamai’s EdgeKV or EdgeConfig.

      Option 2: Use Custom Header Validation in Akamai Property Manager

      If EdgeWorkers are unavailable, use built-in Header Validation Rules in Akamai Property Manager:

      Steps:

      • Navigate to your Akamai Property.
      • Add a behavior: “Match on Header”:

        • Header Name: Approov-Token
        • Condition: Exists
        • Action: Forward or Reject
        • Regex: ^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+$
        • Action: Deny if not matched.
      • Add another rule for pattern validation (e.g., regex for JWT format):
        • Regex: ^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+$
        • Action: Deny if not matched.

       Limitations:

      • You cannot validate JWT signatures with this method alone.
      • Use only as a pre-filter, not full validation.

      Option 3: Use an External Approov Validation Service

      If EdgeWorkers are restricted or cannot handle secret key storage:

      • Deploy a token verification microservice at your origin or edge location (e.g., AWS Lambda@Edge).
      • Configure Akamai to call this service via a redirect or internal sub-request.
      The service:
      • Accepts Approov-Token.
      • Performs signature & expiry checks.
      • Returns 200 (OK) or 403 (Forbidden).

      Akamai blocks access if the service returns 403.

      Monitoring & Enforcement

      • Use Akamai SIEM or logging to monitor Approov token check failures.
      • Set up alerts for repeated failure patterns (indicative of bot attacks).
      • In Approov Dashboard:
        • Monitor real-time attestation metrics.
        • Analyze device integrity, jailbreak/root status, and token usage trends.

      Future Enhancements

      • Combine with Bot Manager to further profile automated traffic.
      • Use Kona Rule Sets (KRS) to enrich API security posture.
      • Integrate with Akamai Identity Cloud if user token binding is desired.

      Summary Table

      Step

      Description

      SDK Integration

      Add Approov to mobile app and send token in Approov-Token header

      JWT Validation

      Perform at edge using EdgeWorkers or via external service

      Rule Enforcement

      Use Property Manager for header presence & regex validation

      Logging

      Enable access/error logging for audit

      Monitoring

      Use Approov dashboard + Akamai SIEM