Dev Portal access and authentication settings

Uses: Dev Portal

Default visibility

When new APIs or pages are created, the specified default visibility will be used. When publishing these items, these defaults can be changed as well.

Private: Registered and approved developer must be logged into to view the asset
Public: Visible to anonymous users browsing the Dev Portal

Changing the default visibility only affects new APIs or pages. It does not retroactively change the visibility of existing APIs or pages.

User authentication

Enabling user authentication will allow anonymous users browsing the Dev Portal to register for a developer account.

User authentication must be enabled to configure any further settings related to identity providers, RBAC, developer & application registration, or specifying application auth strategies and API keys.

Identity providers

Identity providers (IdPs) manage authentication of developers signing into the Dev Portal. Konnect’s built-in authentication provider is used by default. This option generates API keys for developers.

OIDC or SAML providers can be configured as integrated IdP providers.

Learn more about configuring IdPs in Self-service developer & application registration.

Developer and application approvals

v3.6+ An API must be linked to a Konnect Gateway Service to be able to restrict access to your API with authentication strategies.

Registration of developer accounts and creation of applications both require approval by Dev Portal admins by default. These approvals are managed in Access and Approvals.

Auto approve developers

The following explains the behavior when auto-approval for developers is configured:

Enabled: Anyone can sign up for a developer account without any further approval process.
Disabled: Dev Portal admins have to approve any new sign up in Access and Approvals.

Auto approve applications

The following explains the behavior when auto-approval for applications is configured:

Enabled: When any approved developer creates an Application, it will be automatically approved and created.
- Once an application is approved, the developer will be able to use it to create API Keys.
Disabled: Dev Portal admins have to approve any new Applications in Access and Approvals before a developer can create API Keys.

Dev Portal role-based access control

When RBAC is enabled for a Dev Portal, the option to configure API access policies for developers will be available when publishing the API to a portal. Otherwise, any logged in developer can see any published API that is set to Visibility: public.

Authentication strategy and creating API keys

v3.6+ An API must be linked to a Konnect Gateway Service to be able to restrict access to your API with authentication strategies.

Authentication strategies determine how published APIs are authenticated, and how developers create API Keys.

Authentication strategies automatically configure the Konnect Gateway Service by enabling the Konnect Application Auth (KAA) plugin on the Gateway Service linked to the API. The KAA plugin can only be configured from the associated Dev Portal and not from API Gateway.

Default application authentication strategy

Determines the default authentication strategy applied to an API as it is published to a portal. Changing this default will not retroactively change any previously published APIs.

To create a new application authentication strategy, see Application Auth.

The authentication strategy only affects the hosted Service and does not affect developers browsing the Dev Portal from viewing APIs. To change visibility of APIs in the Dev Portal, see Default Visibility and Role-Based Access Control.

Specify IP addresses that can connect to your Dev Portal

You can specify an IP address or a range of IP addresses that are allowed to connect to a Dev Portal through its supported interfaces. This includes the UI, the Konnect APIs, and Terraform. This does not restrict who can access the Dev Portal settings, configuration, and Portal Editor in Konnect.

This IP allow list applies to all Dev Portal communication that goes through the Admin API.

Important:

Any IP addresses that aren’t allow listed won’t be able to access the Dev Portal, including your own.

If you’re configuring IP allow list for the first time, it will take effect in up to a minute. If you’re editing existing IP allow list values, the changes will take effect after several minutes.

Konnect favors IPs over IPv6, and not the IPv4. If your network has dual stack support (supports IPv4 and IPv6), we recommend configuring the IP the network uses if you’re using IPv4 and IPv6. If you aren’t sure or your network path isn’t explicitly controlled by you, its best to enter both.

To configure an IP allow list for a Dev Portal, do one of the following:

In the Konnect sidebar, click Dev Portal.
Click your Dev Portal.
In the Dev Portal sidebar, click Settings.
Click the Security tab.
For IP allow list settings, click Configure.
In the IP range field, enter a single IP or an IP range in CIDR notation. For example, 192.0.2.1 or 192.0.2.0/24.
To add another IP or IP range, click Add IP address.
Enable IP allow list status to enable the Dev Portal allow list.
Click Create.

To configure your Dev Portal IP allow list, send a POST request to the /portals/$DEV_PORTAL_ID/ip-allow-list endpoint:

curl -X POST "https://us.api.konghq.com/v3/portals/$DEV_PORTAL_ID/ip-allow-list" \
     --no-progress-meter --fail-with-body  \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "allowed_ips": [
         "192.168.1.1",
         "192.168.1.0/22"
       ]
     }'

Copied!

Allowlist your current IP: Make sure your current IP is added to the allow list otherwise you’ll lose access to Dev Portal.

To enable your Dev Portal IP allow list, send a PATCH request to the /portals/$DEV_PORTAL_ID endpoint:

curl -X PATCH "https://us.api.konghq.com/v3/portals/$DEV_PORTAL_ID" \
     --no-progress-meter --fail-with-body  \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "sipr_enabled": true
     }'