---
title: Authentication for Authorize gateway endpoints
description: To enhance security for certain endpoints, the gateway instance can enforce client authentication using a shared secret.
component: pingone
page_id: pingone:integrations:p1_authenicate_authz_gateway_endpoints
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_authenicate_authz_gateway_endpoints.html
---

# Authentication for Authorize gateway endpoints

To enhance security for certain endpoints, the gateway instance can enforce client authentication using a shared secret.

Shared secrets are enforced per gateway instance and not shared between instances. To define a shared secret, use one of the available [configuration methods](p1_configure_authz_gateway_instance.html) to pass the authentication JSON object to your gateway instance.

Example `authentication` object:

```json
{
  "authentication": {
    "type": "sharedsecret",
    "keys": ["example-secret-key"]
  }
}
```

Configuration properties for the `authentication` object:

* `type`: A constant set to `sharedsecret`.

* `keys`: An array containing shared secrets as strings.

|   |                                        |
| - | -------------------------------------- |
|   | Secret keys must be at least 128 bits. |

To avoid service interruptions, the gateway instance allows authenticated endpoints to accept multiple, distinct shared secrets at the same time. This allows time to update the gateway instance's configuration to use a new shared secret.

For example:

```json
{
  "authentication": {
    "type": "sharedsecret",
    "keys": ["example-secret", "example-secret-2"]
  }
}
```

After it's enabled, the gateway instance will require authentication for the following endpoints:

* `/api/authorize`

* `/actuator/state`

* `/actuator/metrics`

  * `/actuator/metrics/*`

Any request made to these endpoints must provide the configured shared secret with the `Authorization` header.

For example:

```
curl --location 'http://localhost:8080/api/authorize' \
  --header 'Authorization: Bearer example-secret' \
  --header 'Content-Type: application/json' \
  --data '
{
  "parameters": {
    "Amount": "990",
    "Account": "Basic checking",
    "Payment.consentId": "{{consentID}}"
  }
}'
```

|   |                                                                                                                               |
| - | ----------------------------------------------------------------------------------------------------------------------------- |
|   | If you have defined multiple shared secrets for secret rotation, the `Authorization` header can include any of these secrets. |

Authentication is not supported for the following endpoints:

* `/actuator`

* `/actuator/health`

  * `/actuator/health/liveness`

  * `/actuator/health/readiness`