Skip to main content

API Access

Manage access to your APIs.


The API Access object defines which groups can access which APIs or Collections.


Gateways will embed the API Accesses they can expose. API accesses that don't belong to any gateway will be of no effect.

Users and Groups

When Users / Consumers belongs to multiple groups, they will inherit access from each group they belong to.
Please refer to the documentation about user management for more information.

Managing API Access Using CRDs

The API Access object has several properties.

groupsName of the user group(s) with permissions for the API(s). Requires apiSelector.matchLabels, apiSelector.matchExpressions or a combination of both to select APIs.Yes
apis.nameSelect APIs based on names You can combine it with apiSelector.matchLabels and apiSelector.matchExpressions. See Labels and Selectors.No
apis.namespaceName of the Kubernetes Namespace used by the API(s) defined in This is required for
operationFilter.includeAllow API operations which are configured via an operationSet for one or multiple group(s).No
apiSelector.matchLabelsSelect APIs based on label matching: Equality-Based Requirements.No
apiSelector.matchExpressionsSelect APIs based on advanced label expressions: Set-Based Requirements.No
apiCollectionsSelect API Collections based on names.No
apiCollectionSelector.matchLabelsSelect API Collections based on label matching: Equality-Based RequirementsNo
apiCollectionSelector.matchExpressionsSelect API Collections based on advanced label expressions: Set-Based Requirements.No


By default, when an API is granted to a group of users, all of its operations become accessible. If you only want to expose a specific subset of operations, you can utilize the operationFilter.
This feature enables you to selectively grant access to a defined set of operations, as specified in the API, through the use of operationSets definitions.
This provides fine-grained control over API exposure, allowing you to precisely manage which operations are accessible.


When you configure an operationFilter on an APIAccess, it is effective for all the APIs selected by this APIAccess.

To expose APIs in their entirety and APIs with selected operations, you must use two APIAccess objects.
One is for publishing the whole API, and one is for the operation sets/filters.
This way, both the whole APIs and the selected operations will be available to the user as intended.

In case of an overlap between an operation filtering APIAccess and a non-granular APIAccess, the non-granular will be the stronger, providing all access to that API.


All examples below show how to give users from group support credentials to APIs.

kind: APIAccess
name: customer-support
- support
area: customers

Selector Examples

// no apiSelector
Read More

For more information, please refer to detailed documentation about Label selectors.