<@U04UQ68083H> Do I understand correctly that If I...
# ory-copilots
square-eye-77845
09/20/2025, 11:07 AM@chilly-king-10285 Do I understand correctly that If I want to use any API Gateway (Envoy/Nginx/Traefik/etc) with kratos Oathkeeper is a requirement that can utilize kratos sessions for decision making?
c
chilly-king-10285
09/20/2025, 11:08 AMA message from kapa.ai
chilly-king-10285
09/20/2025, 11:08 AMShort answer: No, Ory Oathkeeper is not strictly required, but it’s the supported, built-in way to use Kratos sessions for access decisions. Details: - Ory Oathkeeper can act as the reverse proxy (PEP) in front of your services or as a decision engine behind other API gateways (Envoy, Nginx, Traefik, AWS API Gateway, etc.) via its Access Control Decision API. This lets those gateways delegate authn/authz decisions to Oathkeeper while they remain the data plane. [[Oathkeeper intro](https://www.ory.sh/docs/oathkeeper); [Operating modes](https://www.ory.sh/docs/oathkeeper#operating-modes)] - With Kratos, Oathkeeper provides first-class authenticators such as cookie_session and bearer_token that validate Kratos sessions (e.g., against /sessions/whoami) and then authorize/mutate requests accordingly. [[Zero Trust guide config](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy#configuration); [WebSockets guide config](https://www.ory.sh/docs/oathkeeper/guides/proxy-websockets#configure-ory-oathkeeper-and-ory-kratos); [bearer_token](https://www.ory.sh/docs/oathkeeper/pipeline/authn#bearer_token)] - If you prefer another proxy, you can integrate it by calling Oathkeeper’s Decision API from that proxy (e.g., Traefik ForwardAuth) so that Oathkeeper still evaluates Kratos sessions and returns allow/deny plus headers. [[Traefik integration](https://www.ory.sh/docs/oathkeeper/guides/traefik-proxy-integration); [Access Control Decision API](https://www.ory.sh/docs/oathkeeper#operating-modes)] - Kratos itself does not include API access control; you are advised to protect it with Oathkeeper or a comparable API gateway. However, using Kratos sessions for decisions without Oathkeeper would require you to implement the equivalent session checks and authorization logic in your chosen gateway or custom middleware. The docs do not provide a ready-made alternative to Oathkeeper for Kratos-session-based decisions. [[API access control](https://www.ory.sh/docs/self-hosted/operations/api-access-control); [Kratos install note](https://www.ory.sh/docs/kratos/install)] So, Oathkeeper isn’t a hard requirement for using an IAP, but it is the documented path to leverage Kratos sessions seamlessly—either as the proxy itself or as the decision service behind Envoy/Nginx/Traefik.
chilly-king-10285
09/20/2025, 11:08 AMA message from kapa.ai
s
square-eye-77845
09/20/2025, 11:09 AMCan I use Nginx without Oathkeeper?
c
chilly-king-10285
09/20/2025, 11:09 AMShort answer: Oathkeeper is not strictly required to run Kratos behind another API gateway, but it is the documented, supported way to use Kratos sessions for access decisions. - Kratos’ APIs have no built‑in access control; you should protect them with Oathkeeper or a comparable API gateway. [[API access control](https://www.ory.sh/docs/self-hosted/operations/api-access-control); [Kratos install](https://www.ory.sh/docs/kratos/install)] - Oathkeeper can act as the reverse proxy itself or as a decision service that other gateways call (Policy Decision Point) via its Access Control Decision API. This is how Envoy/Nginx/Traefik/etc can delegate decisions to Oathkeeper. [[Oathkeeper intro](https://www.ory.sh/docs/oathkeeper); [Operating modes](https://www.ory.sh/docs/oathkeeper#operating-modes); [API spec decisions](https://raw.githubusercontent.com/ory/oathkeeper/master/spec/api.json)] - With Kratos, Oathkeeper provides a first‑class cookie_session authenticator that validates the Kratos session (via /sessions/whoami) and can then allow/deny and mutate requests (e.g., mint an ID token). [[Zero Trust config](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy#configuration); [Session-to-JWT via Oathkeeper](https://www.ory.sh/docs/kratos/session-management/overview#use-ory-oathkeeper-to-convert-sessions-to-jwts)] - If you prefer another gateway, you can keep that as the data plane and call Oathkeeper’s decisions endpoint from it (e.g., Traefik ForwardAuth), so Oathkeeper still evaluates the Kratos session and returns allow/deny plus headers. [[Traefik integration](https://www.ory.sh/docs/oathkeeper/guides/traefik-proxy-integration); [Operating modes](https://www.ory.sh/docs/oathkeeper#operating-modes)] Therefore: You can use Envoy/Nginx/Traefik without Oathkeeper, but to leverage Kratos sessions for centralized decisions, Oathkeeper is the recommended and documented component—either as the proxy or as the decision engine those gateways call. The docs don’t provide an equivalent, out‑of‑the‑box alternative for Kratos‑session evaluation without Oathkeeper. [[API access control](https://www.ory.sh/docs/self-hosted/operations/api-access-control); [Oathkeeper intro](https://www.ory.sh/docs/oathkeeper)]