Skip to main content

Identity Providers

This page explains how to manage access to API Portals and how to control API and API Gateway access.


Traefik Hub uses Identity Providers (IdPs) to manage user identities and to authorize access to API Portals.

In conjunction, API keys or JSON Web Tokens (JWT) are used to control the access to APIs and API Gateways.

In Traefik Hub, an IdP serves as the foundation for user authentication, while API keys or JWTs play a key role in authorizing users to access APIs.


An identity provider (IdP) is a centralized system or service responsible for verifying users’ identities.
You can use Traefik Hub to manage your users and groups (internal IdP), or you can use an external IdP, such as Keycloak or Okta.


All user management is done through the internal IdP.

Traefik Hub will manage all users, groups, and tokens. This is the default configuration.


Traefik Hub supports Keycloak and Okta.

When using an external IdP all user management is done via this IdP, Traefik Hub will only sync the user and groups into its own database.

It is not possible to create, for example, a new user or user group in Traefik Hub.

Consuming APIs

To consume APIs, a user needs to be part of a user group. Groups are a means of categorizing users.
This allows for granting permissions to APIs for specific groups.

When a user is a member of multiple groups, the user will inherit the permission level of the group with the most access.

For more info, please refer to the APIAccess CRD and the documentation about user management.

Further, access to APIs and API Gateways is controlled by API keys or JWTs.


If you switch from the default configuration to JWT, all API keys generated in the API Portal will be turned off.