Skip to content


This page explains how to manage access to API Portals and how to control API and API Gateway access.


Traefik Hub uses Identity Providers (IdPs) to manage user identities and to authorize access to API Portals.

In conjunction, API keys or JSON Web Tokens (JWT) are used to control the access to APIs and API Gateways.

In Traefik Hub, an IdP serves as the foundation for user authentication, while API keys or JWTs play a key role in authorizing users to access APIs.


An identity provider (IdP) is a centralized system or service responsible for verifying users’ identities.
You can use Traefik Hub to manage your users and groups (internal IdP), or you can use an external IdP, such as Keycloak or Okta.


All user management is done through the internal IdP.

Traefik Hub will manage all users, groups, and tokens. This is the default configuration.


Traefik Hub supports Keycloak and Okta.

Consuming APIs

To consume APIs, a user needs to be part of a user group. Groups are a means of categorizing users.
This allows for granting permissions to APIs for specific groups.

When a user is a member of multiple groups, the user will inherit the permission level of the group with the most access.

For more info, please check the APIAccess CRD and our tutorial about user management.

Further, access to APIs and API Gateways is controlled by API keys or JWTs.

If you switch from the default configuration to JWT, all API keys generated in the API Portal will be turned off.

What's next