Breadcrumbs

API Authentication using Application Gateway

Expertflow CX uses Apache APISIX as an Application Gateway of the solution. The API Gateway get user permissions from the IAM (KeyCloak) for authentication. CX Ingress Controller forwards incoming traffic to the Application Gateway and it integrates with IAM via OpenID Connect (OIDC) plugin to intercept these requests.

The Application Gateway is set up to:

  • check for the required authentication token in the request header automatically

  • reject unauthenticated or improperly tokenized requests with a 401 status code

  • ensure only successfully validated requests proceed to the CX Services

This strategy centralizes the authentication layer, offloading this critical security task from backend services and allowing for full utilization of APISIX's feature set.

CX Secured Components

Following components are secure with APISIX:

  • Agent Manager

  • Bot framework

  • Customer Channel Manager

  • Cim Customer

  • Conversation Manager

  • Conversation Monitor

  • License Manager

  • Routing Engine

  • Team Announcement

  • File Engine

  • Unified Admin (This is only valid for CX-4.9.5 version)


Following APIs, belonging to secure components, are unauthenticated.

POST /agent-manager/agent/login
GET /agent-manager/socket.io/
POST /agent-manager/agent/refresh-token
POST /agent-manager/agent/send-sms-otp
POST /agent-manager/agent/register-phone
POST /agent-manager/agent/validate-otp
GET /ccm/widget-configs/{{WidgetIdentifier}}
GET /ccm/agents/{{}}
GET /ccm/channels/service-identifier/{{serviceIdentifier}}
POST /agent-manager/agent/send-sms-otp
POST /agent-manager/agent/register-phone
POST /agent-manager/agent/validate-otp
POST /unified-admin/forms/getAllFormTitles (This is only valid for CX-4.9.5 version)
POST /unified-admin/forms/{{formID}} (This is only valid for CX-4.9.5 version)
POST /unified-admin/keycloakLogin (all routes) (This is only valid for CX-4.9.5 version)


Documents for APISIX configurations:

Any third-party using CX APIs from the secure components listed above must follow the API Authentication Integration Guide for third-party components before directly invoking the APIs.