Securing services

Kalix offers multiple levels of authentication and authorization that can be used to secure services. Which levels are right for you will depend greatly on your use case. These levels of security are complementary. In some cases, it may make sense to utilize multiple levels of Kalix security features.

The features for securing services that Kalix supports are:

  • Access Control Lists (ACLs)

  • Client certificates

  • JSON Web Tokens (JWTs)

Access Control Lists (ACLs)

The simplest access control that Kalix offers is through Access Control Lists (ACLs). ACLs allow you to specify lists of what can access your services, at a Kalix service, gRPC service or gRPC method granularity. For example, you can configure a method that initiates a payment on a payment service to only accept requests from the shopping cart service. You can also control whether services or methods can be invoked from the Internet.

For details on how ACLs work and how configure them, see Using ACLs.

Client certificates

When Kalix services are exposed to the internet using routes, all requests are served using Transport Layer Security (TLS). This ensures that a client can trust that the server they are connecting to is the server that they intended to connect to, and ensures that the connection is encrypted and can’t be tampered with. However, the default configuration doesn’t offer the server any guarantees about the identity of the client. By default, anyone on the internet can connect to your exposed services.

Kalix’s client certificate support, also known as Mutual TLS (mTLS) support, allows you to configure routes to require a client certificate. The supplied certificates will be validated using a trusted Certificate Authority that you supply. For more information on configuring client certificates, see see Using client certificates.

JSON Web Tokens (JWTs)

JSON Web Tokens (JWTs) allow authenticating and authorizing requests. They are typically useful for requests from the users or devices on the Internet, allowing you to authenticate the user or device, and also control what that user or device can do, which entities they have access to, and so on. It can also be used for requests between services.

For more information about Kalix’s JWT support, see Using JWTs.