Authentication based on upstream routes

Hey everyone,

New to kong, so apologize if this is a noob question. I’m evaluating Kong as a possible solution for my company, and one feature we want out of this is to be able to manage our upstream service’s authentication based on the upstream route. This allows us to manage granular authentication for all of our services just using kong which is valuable for us since we have so many services that all need granular permissions BY ROUTE.

For example:

Say I have an upstream service with an upstream route like and another at We’d like to be able to restrict access for consumers based on these upstream routes. Like consumer1 should only be able to access the /resource1 route of the someapi service.

I initially hoped that I could solve this by mapping kong’s routes one-to-one with my upstream routes with a prefix for each service: like externally we would hit kong.domain/someapi/health and that would proxy to Currently I cant see a way to do that, so I’m hoping that someone might know if this is possible at all?


Take a look at the ACL plugin.
You can group your upstreams and grant access to a consumer to certain groups only.