Home / Kong Operator / Konnect / Get Started
Edit
Report

Create API Authentication

Uses: Kong Operator
Incompatible with
on-prem
Related Documentation
Operator Documentation
In This Series
  1. Install Kong Operator
  2. Create API Authentication
  3. Create a Control Plane
  4. Create a Service and Route
  5. Apply Rate Limiting
  6. Enable Proxy Caching
  7. Key Authentication
TL;DR

Define a KonnectAPIAuthConfiguration to provide credentials and a KonnectExtension to connect your cluster to a Konnect Control Plane.

Prerequisites

Series Prerequisites

This page is part of the Get Started with the Kong Gateway Operator series.

Complete the previous page, Install Kong Operator before completing this page.

Create a KonnectAPIAuthConfiguration object

KonnectAPIAuthConfiguration serves as the container for the authentication credentials required to connect your Kubernetes cluster to Konnect.

It can store either:

  • A Personal Access Token
  • A System Account Access Token

Depending on your preferences, you can either:

  • Create a KonnectAPIAuthConfiguration object with the token specified directly in the spec and use RBAC to restrict access to its type.
  • Use a Kubernetes Secret of type Opaque and reference it from the KonnectAPIAuthConfiguration object. The token has to be specified in Secret’s token data field.

The serverURL should be set to the Konnect API url in the region where your account is located.

Using a token in KonnectAPIAuthConfiguration 

echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: konnect-api-auth
  namespace: kong
spec:
  type: token
  token: "'$KONNECT_TOKEN'"
  serverURL: us.api.konghq.com
' | kubectl apply -f -

Using a Secret reference 

echo 'apiVersion: v1
kind: Secret
metadata:
  name: konnect-api-auth-secret
  namespace: kong
  labels:
    konghq.com/credential: konnect
    konghq.com/secret: true
stringData:
  token: "'$KONNECT_TOKEN'"' | kubectl apply -f -

echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: konnect-api-auth
  namespace: kong
spec:
  type: secretRef
  secretRef:
    name: konnect-api-auth-secret
  serverURL: us.api.konghq.com
' | kubectl apply -f -

Validate

Run the following command to verify that the authentication configuration was created successfully:

kubectl get konnectapiauthconfiguration konnect-api-auth -n kong

You should see output similar to the following:

NAME               VALID   ORGID                                  SERVERURL
konnect-api-auth   True    5ca26716-02f7-4430-9117-1d1a7a2695e7   https://us.api.konghq.com

If you prefer to work with status conditions programmatically, you can also run:

kubectl get konnectapiauthconfiguration konnect-api-auth -n kong -o jsonpath="{.status.conditions[?(@.type=='APIAuthValid')]}"

Which should yield the follow

{"lastTransitionTime":"2025-10-16T11:46:28Z","message":"Token is valid","observedGeneration":1,"reason":"Valid","status":"True","type":"APIAuthValid"}
← Previous 1. Install Kong Operator Next → 3. Create a Control Plane
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support