External authorization check (forward-auth / Envoy ext_authz)

curl --request POST \
  --url https://api.example.com/api/identity/ext-authz \
  --header 'Authorization-PSK: <api-key>'

Identity

External authorization check (forward-auth / Envoy ext_authz)

Forward-auth endpoint for an Envoy/nginx ext_authz filter.

Resolves the Authorization-PSK header (only) and translates a valid User PSK into x-authz-* identity headers the proxy injects upstream. Behaviour is intentionally PSK-driven so a Bearer-only request falls through to downstream JWT validation:

User PSK present + valid → 200 with x-authz-* + x-auth-method headers.
PSK present + invalid (or the shared general PSK) → 403.
PSK absent → 200 with no x-authz-* headers (JWT handles it).

The shared general PSK is rejected here: it carries no real identity, so it must not be able to inject a fixed psk principal into upstream services.

POST

api

identity

ext-authz

External authorization check (forward-auth / Envoy ext_authz)

curl --request POST \
  --url https://api.example.com/api/identity/ext-authz \
  --header 'Authorization-PSK: <api-key>'

Authorizations

Authorization-PSK

string

header

required

Response

Allowed — identity headers set when a valid PSK is present.

External authorization check (forward-auth / Envoy ext_authz)Resolve the caller's identity and roles

⌘I