The Dev Portal security settings allow for visibility and access control around developers accessing your Dev Portal. To configure these settings, navigate to Dev Portal in the Konnect UI, click a Dev Portal, and then click Settings in the sidebar.
To adjust security settings for Dev Portal admins and users, see Konnect organization settings.
When new APIs or pages are created, the specified default visibility will be used. When publishing these items, these defaults can be changed as well.
Changing the default visibility only affects new APIs or pages. It does not retroactively change the visibility of existing APIs or pages.
Enabling user authentication will allow anonymous users browsing the Dev Portal to register for a developer account.
User authentication must be enabled to configure any further settings related to identity providers, RBAC, developer & application registration, or specifying application auth strategies and API keys.
Identity providers (IdPs) manage authentication of developers signing into the Dev Portal. Konnect’s built-in authentication provider is used by default. This option generates API keys for developers.
OIDC or SAML providers can be configured as integrated IdP providers.
Learn more about configuring IdPs in Self-service developer & application registration.
v3.6+ An API must be linked to a Konnect Gateway Service to be able to restrict access to your API with authentication strategies.
Registration of developer accounts and creation of applications both require approval by Dev Portal admins by default. These approvals are managed in Access and Approvals.
The following explains the behavior when auto-approval for developers is configured:
The following explains the behavior when auto-approval for applications is configured:
When RBAC is enabled for a Dev Portal, the option to configure API access policies for developers will be available when publishing the API to a portal. Otherwise, any logged in developer can see any published API that is set to Visibility: public.
An API must be linked to a Konnect Gateway Service v3.6+ or control plane v3.13+ to restrict access to your API with authentication strategies.
Authentication strategies determine how published APIs are authenticated, and how developers create API Keys. When you link an API to a Gateway, you have two options:
These plugins are responsible for applying authentication and authorization on the Gateway Service or control plane. The authentication strategy that you select for the API defines how clients authenticate.
The following table can help you decide which option to pick:
|
Option |
KAA plugin |
ACE plugin |
|---|---|---|
| Scope | Linked to a single Gateway Service | Linked to an entire control plane |
| Plugin applied… | Automatically on the Gateway Service linked to the API | Manually |
| Managed by… | Konnect. You can only modify it by configuring JSON in the advanced configuration for your application auth strategy. | You, by manually configuring the plugin. |
| Kong Gateway version | 3.6 or later | 3.13 or later |
| Can be used with declarative configuration | No, because the plugin is applied automatically | Yes, because you must configure the plugin |
| Can be used with API packages | No | Yes |
Do not configure the KAA and ACE plugins on the same control plane because their overlapping interactions can be unpredictable.
Determines the default authentication strategy applied to an API as it is published to a portal. Changing this default will not retroactively change any previously published APIs.
To create a new application authentication strategy, see Application Auth.
The authentication strategy only affects the hosted Service and does not affect developers browsing the Dev Portal from viewing APIs. To change visibility of APIs in the Dev Portal, see Default Visibility and Role-Based Access Control.
You can specify an IP address or a range of IP addresses that are allowed to connect to a Dev Portal through its supported interfaces. This includes the UI, the Konnect APIs, and Terraform. This does not restrict who can access the Dev Portal settings, configuration, and Portal Editor in Konnect.
This IP allow list applies to all Dev Portal communication that goes through the Admin API.
Important:
- Any IP addresses that aren’t allow listed won’t be able to access the Dev Portal, including your own.
- If you’re configuring IP allow list for the first time, it will take effect in up to a minute. If you’re editing existing IP allow list values, the changes will take effect after several minutes.
- Konnect favors IPs over IPv6, and not the IPv4. If your network has dual stack support (supports IPv4 and IPv6), we recommend configuring the IP the network uses if you’re using IPv4 and IPv6. If you aren’t sure or your network path isn’t explicitly controlled by you, its best to enter both.
To configure an IP allow list for a Dev Portal, do one of the following: