Skip to main content

Managed Applications

Traefik Hub Managed Applications bring full GitOps workflow to application registration and credential management.

Traditionally, API consumers first needed to sign in to the API Portal and carry out several manual steps before their application could call the Gateway.

With Managed Applications the publisher declares the consumer’s application as a Kubernetes CRD and links it to a Managed Subscription. No portal login or other action is required from the consumer—the entire registration and credential lifecycle is handled on their behalf.

Key Concepts

TermDescription
ApplicationLogical consumer (mobile app, backend, partner system). Identified by an App ID issued by your IdP.
ManagedApplicationDefines and manages application identities, ownership, and authentication credentials through GitOps workflows.
Self-Service ApplicationAn Application created by a developer via the portal. Managed Applications provide the GitOps alternative.
Managed SubscriptionGrants runtime access to APIs only to the ManagedApplications it references.
Self-Service SubscriptionAllows API consumers to subscribe their Applications to APIs—or entire API Bundles—directly from the API Portal.

How It Works

  • The Hub Agent syncs the Managed Application + hashed Secret to the platform.
  • During request-time Hub API Management matches the appId in the Managed Application and the ManagedSubscription rules.
  • Both the API key AND the application's subscription must be valid for the request to proceed. This zero-trust approach ensures API keys cannot be shared between applications.
  • If everything lines up, the call proceeds and the APIPlan quotas/rate-limits are enforced.

How to Use Managed Applications

Define a ManagedApplication resource:

apiVersion: hub.traefik.io/v1alpha1
kind: ManagedApplication
metadata:
  name: weather-mobile
  namespace: apps
spec:
  appId: weather-mobile           # must match IdP client ID
  owner: 67f67907ee260b44336a952e # Hub user UUID (sub/externalID)
  notes: "For IOS & Android clients"
  apiKeys:
    - secretName: weather-mobile-key
      title: mobile-key
API Key Storage Options

The examples above demonstrate three different approaches for managing API keys:

Secret with data field: Uses base64-encoded values. The data field requires you to base64-encode the SHAKE-256 hash. This approach provides an extra layer of encoding but requires additional steps during key generation.

Secret with stringData field: Stores the raw SHAKE-256 hash directly without base64 encoding. Kubernetes automatically handles the base64 encoding when storing the secret. This approach is simpler and reduces the chance of encoding errors.

Inline value: Embeds the raw SHAKE-256 hash directly in the ManagedApplication resource. This approach eliminates the need for a separate Secret resource.

Choose the approach that best fits your security policies and operational preferences. The stringData approach typically offers the best balance of simplicity and security for most use cases.

Link that application to an API via ManagedSubscription:

apiVersion: hub.traefik.io/v1alpha1
kind: ManagedSubscription
metadata:
  name: weather-mobile-sub
  namespace: apps
spec:
  managedApplications:
    - name: weather-mobile
  apis:
    - name: weather-api
  apiPlan:
    name: standard-plan

Configuration Options

FieldRequiredDescription
appIdYesUnique identifier for an application.
ownerYesHub user identifier of the application owner: use the OIDC sub, an external IdP externalID, or the long user ID visible in the Hub dashboard URL when you are using the built‑in Hub IdP.
notesNoFree-form notes for operators.
apiKeys[]NoDefines the API keys for the application. Up to 100 keyed items.
apiKeys[].titleNoHuman-readable key label shown in metrics.
apiKeys[].secretNameNo (One of secretName or value)Name of an Opaque Secret whose data.key field stores the SHAKE-256 hash of the raw key.
apiKeys[].valueNo (One of secretName or value)SHAKE-256 hash inline (max 4096 chars).
apiKeys[].suspendedNoSet true to disable this key without deleting.
Mutual exclusivity

Provide either secretName or value in each apiKeys[] item and not both.

When to Use Managed Applications

  • Your organisation is fully GitOps and developers should not touch the portal.
  • App IDs already exist in your IdP (OIDC client IDs, external IDs) and must be recognised by the Gateway before a human ever logs in.
  • You want publishers (cluster admins / platform engineers) to issue or rotate API keys on behalf of consumers.
info
  • Duplicate App ID: If a Self-Service and Managed Application share the same App ID, the ManagedApplication version wins.
  • Static Analyzer: The Hub Static Analyzer warns whenever more than one ManagedApplication in the same namespace defines the same appId. When this occurs, Hub keeps only the ManagedApplication whose resource name comes first in alphabetical order and disregards the others.
Zero-Trust Security Model

API keys are bound to specific ManagedApplication resources and their subscriptions.

If you reuse the same API key across multiple ManagedApplication resources, each application must have its own valid ManagedSubscription to access an API. An application without a subscription will receive a 403 Forbidden response, even if another application using the same key has valid access.

This design prevents unauthorized access and ensures that API permissions are explicitly granted on a per-application basis, rather than relying solely on key possession.

Managed Application Experience in the API Portal

The API Portal provides an interface for viewing managed applications. This allows you to see all applications and access their details.

Managed Applications in the API Portal

Related Content