Backend authentication

API Gateway offers a first line of security by requiring that a valid OAuth 2.0 bearer token be passed in the authorization header of the request and that “belongs to” the tenant called out in the request URL.

We still want you to be sure to have a second layer of security at your target API server.

This second layer of security is needed for several reasons:

Because your target API server is accessible via the public internet as required for API Gateway to be able to reach it.
Because you may still have legacy applications that access your target API server directly and have not yet been modified to access the API via API Gateway.