Skip to main content
Version: latest

Security and Compliance Overview

API7 Gateway is the central nervous system for modern enterprises, managing mission-critical data flows and connecting a distributed landscape of applications and services. Securing this infrastructure is paramount. API7 provides a comprehensive suite of security and compliance features designed to protect your APIs from threats, enforce granular access control, and meet rigorous regulatory standards. The platform offers a flexible, multi-layered security model that can be tailored to the specific needs of any organization, ensuring that your data and services are protected at every level.

Authentication and Access Management

Verifying the identity of every client, user, and system component is the foundation of a zero-trust security posture. API7 supports a wide range of industry-standard authentication mechanisms to ensure that only legitimate traffic can access your APIs and management interfaces.

  • Mutual TLS (mTLS): Enforces strong, certificate-based authentication between the Control Plane and Data Plane, ensuring all management traffic is encrypted and verified.
  • OAuth 2.0 / OIDC: Integrates with external identity providers (IdPs) like Okta, Keycloak, and others to enable modern, token-based authentication for your APIs.
  • Single Sign-On (SSO): Centralizes user access to the API7 Dashboard through your corporate identity provider, streamlining user management and improving security.
  • Role-Based Access Control (RBAC): Provides granular control over user permissions within the API7 Dashboard, allowing you to define roles that align with your organizational structure.

Authorization and Access Control

Once a client is authenticated, authorization determines what actions they are permitted to perform. API7 provides powerful, flexible tools to enforce fine-grained access control policies, ensuring that clients can only access the resources they are explicitly granted permission to use.

  • Access Control Lists (ACLs): A straightforward yet powerful way to restrict API access to specific consumer groups, often used in conjunction with API keys or other authentication methods.
  • Role-Based Access Control (RBAC): Extends beyond the dashboard to the API traffic itself, allowing you to define complex authorization logic based on user roles and permissions.
  • Permission Policies and Boundaries: Implement sophisticated, attribute-based access control (ABAC) by defining policies that can evaluate context from JWTs, request headers, and other sources to make dynamic authorization decisions.

Data Protection and Encryption

Protecting the confidentiality and integrity of your data, both in transit and at rest, is a critical compliance requirement. API7 provides robust encryption capabilities and secure credential management to safeguard sensitive information.

  • Secure Credentials Management: Securely stores and manages sensitive values like SSL certificates, passwords, and API tokens. Integration with external secret managers like HashiCorp Vault and AWS Secrets Manager is supported for centralized control.
  • End-to-End Encryption: Utilizes TLS to encrypt data in transit from the client to the gateway and from the gateway to upstream services, preventing eavesdropping and man-in-the-middle attacks.

Infrastructure Security

Securing the gateway infrastructure itself is as important as securing the API traffic it manages. API7 includes features designed to harden the control and data planes against direct attacks and unauthorized configuration changes.

  • Secure the Control Plane with IP Restrictions: Limits access to the Admin API and Dashboard to a trusted list of IP addresses, significantly reducing the attack surface.
  • Verify Signature of Signed Images: Ensures the integrity and authenticity of the API7 Gateway container images you deploy, guaranteeing that they have not been tampered with and originate from a trusted source.

Monitoring and Auditing

Comprehensive visibility into system activity is essential for threat detection, incident response, and compliance. API7 generates detailed logs for all critical operations, providing a complete audit trail of administrative actions and security events.

  • Audit Logs: Records all changes made through the Control Plane, including modifications to routes, plugins, and security policies. This provides a clear, chronological record of who did what, and when.
  • Integration with SIEM: Logs can be exported to external Security Information and Event Management (SIEM) platforms like Splunk or Elastic for advanced analysis, correlation, and alerting.

Compliance and Governance

Meeting industry and regulatory compliance standards is a key function of an enterprise-grade API gateway. API7 is designed with compliance in mind, providing the features and transparency needed to pass security audits.

  • Licenses for Open Source Software: Provides clear documentation on the open-source components used within API7 and their respective licenses, simplifying license compliance efforts.
  • Vulnerability Scanning: API7 undergoes continuous security testing and vulnerability scanning. We are committed to transparently reporting and promptly patching any identified vulnerabilities.
  • Trust Center: A centralized resource for all security and compliance-related information, including certifications, security reports, and best practice guides.
API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway
API7 AI Gateway
API7 API Portal

Learn

API Gateway Guide
Plugin Hub
API Gateway Comparison
Customers

Resources

API Gateway Docs
Blog
Demo Hub
APISIX vs Kong

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation