AuthZEN: Standards-based API authorisation for API gateways

AuthZEN offers a standardized approach to API authorization, aiming to address the challenges of deep API authorization and the risks associated with tightly coupling access control within API gateways. Traditionally, API gateways have handled authentication, authorization, and traffic management, but deeper authorization often required custom implementations, leading to inconsistencies and operational overhead. AuthZEN decouples policy decision points (PDPs) from policy enforcement points (PEPs), enabling API gateways to enforce authorization while integrating with multiple PDPs, thus enhancing interoperability and reducing the need for bespoke solutions. This framework supports medium-grained authorization, typically managed at the gateway level, which reduces backend load and prevents unauthorized requests from reaching microservices, ensuring consistent security policies across APIs. AuthZEN's standardization simplifies policy enforcement and governance, transforming the "N * M" problem of custom integrations into an "N + M" solution by defining a common API for PEPs to interact with PDPs. The AuthZEN plugin for Tyk API Gateway exemplifies this approach, allowing seamless communication with various PDPs and ensuring consistent access control, thereby improving security governance and reducing development complexity.